🔝Check source for lists of controls, updates and further info → https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cyber-security-roles
To ensure that cyber security is embedded throughout an organisation, it is important that the board of directors or executive committee commits to defining clear roles and responsibilities for cyber security, integrating cyber security throughout all business functions within their organisation, aligning the cyber security strategy for their organisation with the overarching strategic direction and business strategy, and seeking regular briefings or reporting on the cyber security posture of their organisation and the threat environment in which it operates.
To provide cyber security leadership within an organisation, it is important that the board of directors or executive committee champions a positive cyber security culture, including through leading by example.
To assist with embedding cyber security throughout an organisation, it is important that the board of directors or executive committee maintains a sufficient level of cyber security literacy to fulfil both their fiduciary duties and any legislative or regulatory obligations. In addition, the board of directors or executive committee should maintain awareness of key cyber security recruitment activities, retention rates for cyber security personnel, and cyber security skills and experience gaps for their organisation. Finally, the board of directors or executive committee should support the development of cyber security skills and experience for all personnel within their organisation.
In order for the board of directors or executive committee to fulfil both their fiduciary duties and any legislative or regulatory obligations, it is important that they understand the business criticality of their organisation’s systems, including a basic understanding of what exists, their value, where they reside, who has access, who might seek access, how they are protected, and how that protection is verified.
In order for the board of directors or executive committee to fulfil both their fiduciary duties and any legislative or regulatory obligations, it is important that they plan for major cyber security incidents, including by participating in exercises, and understand their duties in relation to such cyber security incidents.
Further information on how the board of directors or executive committee can protect themselves from cyber threats can be found in the Australian Signals Directorate’s (ASD) Practical cyber security tips for business leaders publication.
Further information on questions the board of directors or executive committee should be asking of their organisation can be found in ASD’s Ten things to know about data security publication.
Further information on how the board of directors or executive committee can plan for major cyber security incidents can be found in ASD’s Planning for critical vulnerabilities: What the board of directors needs to know publication.
Further information on cyber security considerations for the board of directors or executive committee during mergers, acquisitions and Machinery of Government changes can be found in ASD’s Mergers, acquisitions and Machinery of Government changes publication.
Further information on cyber security responsibilities and duties of the board of directors or executive committee can be found in the United Kingdom’s National Cyber Security Centre’s Cyber Security Toolkit for Boards.
The role of the chief information security officer (CISO) within an organisation should extend to information technology and operational technology. However, where appropriate and practical to do so, responsibility for operational technology cyber security may be delegated by the CISO.
Within this section, the breadth of responsibilities for information technology and operational technology are collectively referenced under the banner of cyber security.
The role of the CISO requires a combination of technical and soft skills, such as business acumen, leadership, communications and relationship building. Additionally, a CISO should adopt a continuous approach to learning and up-skilling in order to maintain pace with the cyber threat landscape and new technologies. It is expected that a CISO show innovation and imagination in conceiving and delivering cyber security strategies for their organisation.
To provide cyber security leadership and guidance within an organisation (for information technology and operational technology), it is important that the organisation appoints a CISO.
Control: ISM-0714; Revision: 6; Updated: Jun-24; Applicable: NC, OS, P, S, TS; Essential 8: N/A
A CISO is appointed to provide cyber security leadership and guidance for their organisation (covering information technology and operational technology).
The CISO within an organisation is responsible for overseeing their organisation’s cyber security program and ensuring compliance with cyber security policy, standards, regulations and legislation. They are likely to work with a chief security officer, a chief information officer and other senior executives within their organisation.
The CISO is responsible for ensuring the alignment of cyber security and business objectives within their organisation. To achieve this, they should facilitate communication between cyber security and business stakeholders. This includes translating cyber security concepts and language into business concepts and language, as well as ensuring that business teams consult with cyber security teams to determine appropriate controls when planning new business projects. Additionally, as the CISO is responsible for the development of their organisation’s cyber security program, they are best placed to advise projects on the strategic direction of cyber security within their organisation.
The CISO is responsible for reporting cyber security matters to their organisation’s board of directors or executive committee, as well as their organisation’s audit, risk and compliance committee (or equivalent). In doing so, it is important that reporting is done directly by the CISO rather than via other senior executives within their organisation. This ensures reporting remains accurate and free of any conflicts of interest.
Reporting should cover:
Reporting on cyber security matters should be structured by business functions, regions or legal entities and support a consolidated view of an organisation’s security risks.
It is important that the CISO is able to translate security risks into operational risks for their organisation, including financial and legal risks, in order to enable more holistic conversations about their organisation’s risks.
To ensure the CISO is able to accurately report to their organisation’s board of directors or executive committee on cyber security matters, it is important they are fully aware of all cyber security incidents within their organisation.
The CISO is also responsible for overseeing their organisation’s response to cyber security incidents, including how internal teams respond and communicate with each other during cyber security incidents. In the event of a major cyber security incident, the CISO should be prepared to step into a crisis management role. They should understand how to bring clarity to the situation and communicate effectively with internal and external stakeholders.
The CISO is responsible for contributing to the development, implementation and maintenance of their organisation’s business continuity and disaster recovery plans, with the aim to improve business resilience and ensure the continued operation of critical business processes.
To assist in facilitating cyber security cultural change and awareness within their organisation, across their organisation’s cyber supply chain and among their organisation’s customers, the CISO should act as a cyber security leader and regularly communicate the cyber security vision and strategy for their organisation. In doing so, a cyber security communications strategy can be helpful in achieving this outcome. As part of this, communication styles and content should be tailored to different target audiences.
The CISO is responsible for ensuring that consistent vendor management processes are applied across their organisation, from discovery through to ongoing management. As supplier relationships come with additional security risks, the CISO should assist personnel with assessing cyber supply chain risks and understand the security impacts of entering into contracts with suppliers.
Receiving and managing a dedicated cyber security budget will ensure the CISO has sufficient access to funding to support their cyber security program, including cyber security uplift activities and responding to cyber security incidents.
The CISO is responsible for the cyber security workforce within their organisation, including plans to attract, train and retain cyber security personnel. The CISO should also delegate relevant tasks to cyber security managers and other personnel as required to support cyber security activities within their organisation and provide them with adequate authority and resources to perform their duties.
To ensure personnel are actively contributing to the security culture of their organisation, a cyber security awareness training program should be developed, implemented and maintained. As the CISO is responsible for cyber security within their organisation, they should oversee the development, implementation and maintenance of the cyber security awareness training program.
Further information on responding to cyber security incidents can be found in the ‘Managing cyber security incidents’ section of the Guidelines for cyber security incidents.
Further information on the development of a cyber security strategy can be found in the ‘Development and maintenance of cyber security documentation’ section of the Guidelines for cyber security documentation.
Further information on cyber supply chain risk management can be found in the ‘Cyber supply chain risk management’ section of the Guidelines for procurement and outsourcing.
Further information on the procurement of outsourced services can be found in the ‘Managed services and cloud services’ section of the Guidelines for procurement and outsourcing.
Further information on cyber security awareness training programs can be found in the ‘Cyber security awareness training’ section of the Guidelines for personnel security.
System owners are responsible for ensuring the secure operation of their systems. However, system owners may delegate the day-to-day management and operation of their systems to system managers. It is recommended that system owners collaborate with their organisation’s internal cyber security teams or engage external cyber security specialists to assist them with their cyber security responsibilities.
Broadly, the risk management framework used by the Information security manual has six steps: define the system, select controls, implement controls, assess controls, authorise the system and monitor the system. System owners are responsible for the implementation of this six-step risk management framework for each of their systems.
Annual reporting by system owners on the security status of their systems to their authorising officer can assist the authorising officer in maintaining awareness of the security posture of systems within their organisation.
Further information on using the Information security manual’s six-step risk management framework can be found in the ‘Applying a risk-based approach to cyber security’ section of Using the Information security manual.
Further information on the purpose of IRAP is available from ASD.
Further information on monitoring systems and their operating environments can be found in the ‘Event logging and monitoring’ section of the Guidelines for system monitoring.