Roles and Responsibilities

This section outlines the roles and responsibilities an agency should allocate as part of their cyber security function. An agency may not have all the roles outlined below. In these instances, the responsibilities must be allocated to another role at equivalent level within the organisation. Whilst agencies have flexibility to tailor these roles to their organisational context, all responsibilities must be allocated and performed. Those changed allocations of responsibilities should be clearly identified when reporting to Cyber Security NSW. See guidance for more information.

ICT & Digital Leadership Group (IDLG)

The IDLG, chaired by the Government Chief Information and Digital Officer (GCIDO), is responsible for:

  • Approving the policy and any updates
  • Ensuring its implementation across NSW Government
  • Reviewing the summarised agency/cluster reports against the policy’s mandatory requirements

Agency heads

The Secretary of a department is accountable for:

  • Appointing or assigning an appropriate senior executive band officer in the agency or across the cluster, with the authority to perform the duties outlined in this policy – this person should be dedicated to security at least at the cluster level
  • Appointing or assigning a senior executive band officer with authority for Industrial Automation and Control Systems (IACS) cyber security for the agency or cluster (if applicable)
  • Ensuring all agencies in their cluster implement and maintain an effective cyber security program
  • Supporting the agency’s cyber security plan

All Agency Heads (e.g. Commissioners, Chief Executive Officers), including the Secretary of a department, are accountable for:

  • Ensuring their agency complies with the requirements of this policy and timely reporting on compliance with the policy
  • Ensuring their agency develops, implements and maintains an effective cyber security plan and/or information security plan
  • Ensuring CISOs (or equivalent) and a senior executive band officer for IACS (if applicable) attend the agency’s risk committee meetings as advisors or committee members
  • Determining their agency’s risk appetite using the approved whole-of-government Internal Audit and Risk Management Policy
  • Appropriately resourcing and supporting agency cyber security initiatives including training and awareness and continual improvement initiatives to support this policy
  • Approving internal security policies as required




Chief Information Security Officers (CISO) or Chief Cyber Security Officers (CCSO)

CISOs and CCSOs, or staff with those responsibilities are responsible for:

  • Defining and implementing a cyber security plan for the protection of the agency’s information and systems 
  • Developing a cyber security strategy, architecture, and risk management process and incorporate these into the agency’s current risk framework and processes
  • Assessing and providing recommendations on any exemptions to agency or cluster information security policies and standards
  • Attending agency or cluster risk committee meetings, when invited by the Audit and Risk Committee (ARC)
  • Implementing policies, procedures, practices and tools to ensure compliance with this policy
  • Investigating, responding to and reporting on cyber security events
  • Reporting cyber incidents to the appropriate agency governance forum and Cyber Security NSW based on severity definitions provided by Cyber Security NSW
  • Representing their agency on whole-of-government collaboration, advisory or steering groups established by Cyber Security NSW or cluster CISO 
  • Establishing training and awareness programs to increase employees’ cyber security capability
  • Building cyber incident response capability that links to agency incident management and the whole of government cyber response plan 
  • Collaborating with privacy, audit, information management and risk officers to protect agency information and systems
  • For cluster CISOs, supporting agencies in their cluster to implement and maintain an effective cyber security program including via effective collaboration and/or governance forums
  •  Managing the budget and funding for the cyber security program. 

Chief Information Officer (CIO) or Chief Operating Officer (COO)

CIOs or COOs, or staff with CIO/COO responsibilities are accountable for:

  • Working with CISOs and across their agency to implement this policy 
  • Implementing a cyber security plan that includes consideration of threats, risks and vulnerabilities that impact the protection of the agency’s information and systems within the agency’s cyber security risk tolerance
  • Ensuring that all staff, including consultants, contractors and outsourced service providers understand the cyber security requirements of their roles
  • Clarifying the scope of CIO or COO responsibilities for cyber security relating to assets such as information, building management systems and IACS 
  • Assisting CISOs/CCSOs or equivalent position with their responsibilities
  • Ensuring a secure-by-design approach for new initiatives and upgrades to existing systems, including legacy systems
  • Ensuring all staff and providers understand their role in building and maintaining secure systems

Information Security Manager, Cyber Security Manager or Senior Responsible Officer

Information Security Managers, Cyber Security Managers or Senior Responsible Officers are responsible for one or all of the following within their agency or cluster:

  • Managing and coordinating the response to cyber security incidents, changing threats, and vulnerabilities
  • Developing and maintaining cyber security procedures and guidelines
  • Providing guidance on cyber security risks introduced from business and operational change 
  • Managing the life cycle of cyber security platforms including design, deployment, ongoing operation, and decommissioning
  • Ensuring appropriate management of the availability, capacity and performance of cyber security hardware and applications 
  • Providing input and support to regulatory compliance and assurance activities and managing any resultant remedial activity 
  • Developing a metrics and assurance framework to measure the effectiveness of controls
  • Providing day-to-day management and oversight of operational delivery 

NSW Chief Cyber Security Officer (NSW CCSO)

The NSW CCSO is accountable for:

  • Creating and implementing the NSW Government Cyber Security Strategy
  • Building a cyber-aware culture across NSW Government
  • Receiving, collating and reporting on high cyber risks and monitoring cyber security incident reports across NSW Government
  • Reporting on consolidated agency compliance and maturity
  • Chairing the NSW Government Cyber Security Steering Group (CSSG)
  • Consulting with agencies and providing advice and assistance to the NSW Government on cyber security including improvements to policy, capability and capacity
  • Recommending and recording exemptions to any part of the NSW Government Cyber Security Policy
  • Representing NSW Government on cross-jurisdictional matters relevant to cyber security 
  • Assisting agencies to share information on security threats and cooperate on security threats and intelligence to enable management of government-wide cyber risk
  • Creating and implementing the NSW Government cyber incident response arrangements 
  • Coordinating the NSW Government response to significant cyber incidents and cyber crises

Information Management Officer

A cluster or agency should have a person or persons who fulfil the role of Information Management Officer as part of their role and are responsible for:

  • Acting as a focal point within their agency for all matters related to information management that are required to support cyber security
  • Ensuring that a cyber incident that involves information damage or loss is escalated and reported to the appropriate information management response team in your agency

Internal Audit

Agency Internal Audit teams are responsible for:

  • Validating that the cyber security plan meets the agency’s business goals and objectives and ensuring the plan supports the agency’s cyber security strategy
  • Regularly reviewing their agency’s adherence to this policy and cyber security controls 
  • Providing assurance regarding the effectiveness of cyber security controls


Agency Risk teams are responsible for:

  • Assisting to ensure the risk framework is applied in assessing cyber security risks and with setting of risk appetite
  • Assisting the agency CISO in analysing cyber security risks
  • Meeting with cluster CISO to ensure cyber risk frameworks fit into the Enterprise Risk framework

3rd party ICT providers

Agencies are responsible under the cyber security policy for managing cyber security requirements including contract clauses as well as monitoring and enforcement for 3rd party ICT providers.

Where agencies require 3rd party vendors to comply with the policy, agencies should ensure vendors have the following in place to protect outsourced government systems:


  • Mandatory Requirement 1.5: The ICT provider has a process that is followed to notify the agency quickly of any suspected or actual security incidents and follows reasonable direction from the agency arising from incident investigations (noting this will vary based on risk profile and risk appetite). 
  • Mandatory Requirement 2.1: The ICT provider ensures that their staff understand and implement the cyber security requirements of the contract. 
  • Mandatory Requirement 3.1: Any ‘Crown Jewel’ systems must be covered in the scope of an Information Security Management System (ISMS) or Cyber Security framework
  • Mandatory Requirement 3.4: Cyber Security requirements are built into the early stages of projects and the system development life cycle (SDLC) including agile projects. 
  • Mandatory Requirement 3.5: Ensure new ICT systems or enhancements include processes for audit trails and activity logging to assess the accuracy and integrity of data, including processes for internal fraud detection.

This does not prevent other contractual obligations being imposed.