You are on page 1of 8

Information Security Management Delegations

AS/NZS ISO/IEC 17799:2006 defines 39 information security controls in twelve categories. Agency position descriptions and role definitions are included at the end of this document. Model delegations are as follows:
Category 4. Risk Assessment Section 4.1 Assessing Security risks 4.2 Treating Security risks 5. Security Policy 5.1 Information Security Policy Purpose Risk assessments should identify, quantify, and prioritise risks against criteria relevant to the organisation. Controls to manage or reduce the risk or its impact To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. To manage information security within the organisation. Sub-sections Owner Director General/ Commissio ner/ CEO Director, Information Services Director, Information Services Operator Director, Information Services Manager, Information Security Manager, Information Security Reviewer Risk Management and Audit Committee Risk Management and Audit Committee Risk Management and Audit Committee Risk Management and Audit Committee

6. Organisa tion Of Information Security

6.1 Internal Organisation

6.1.1 Management Commitment To Information Security 6.1.2 Information Security CoOrdination 6.1.3 Allocation Of Information Security Responsibilities 6.1.4 Authorisation Process For Information Processing Facilities 6.1.5 Confidentiality Agreements 6.1.6 Contact With Authorities 6.1.7 Contact With Special Interest Groups 6.1.8 Independent Review Of Information Security

Director, Information Services

Manager, Information Security

Copyright 2010 Government of Western Australia 96294616.doc

Department of . . .

Information Security Management Delegations

Category

Section 6.2 External Parties

7. Asset Management

7.1 Responsibility For Assets 7.2 Information Classification

8. Human Resources Security

8.1 Prior To Employment

8.2 During Employment

8.3 Termination Or Change Of Employment

Purpose To maintain the security of the organisations information and information processing facilities that are accessed, processed, communicated to, or managed by external parties. To achieve and maintain appropriate protection of organisational assets. To ensure that information receives an appropriate level of protection. To ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities. To ensure that employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organisational security policy in the course of their normal work, and to reduce the risk of human error To ensure that employees, contractors and third party users exit an organisation or change employment in an orderly manner.

Sub-sections 6.2.1 Identification Of Risks Related To External Parties 6.2.2 Addressing Security When Dealing With Customers 6.2.3 Addressing Security In Third Party Agreements 7.1.1 Inventory Of Assets 7.1.2 Ownership Of Assets 7.1.3 Acceptable Use Of Assets 7.2.1 Classification Guidelines 7.2.2 Information Labelling And Handling

Owner Director, Information Services

Operator Manager, Information Security

Reviewer Risk Management and Audit Committee

Director, Information Services Director, Information Services Director, Information Services

Manager, ICT Infrastructure Manager, Information Architecture Manager, Information Security

Manager, Information Security Manager, Information Security Risk Management and Audit Committee

8.2.1 Management Responsibilities 8.2.2 Information Security Awareness, Education, And Training 8.2.3 Disciplinary Process

Director, Information Services

Manager, Information Security

Risk Management and Audit Committee

8.3.1 Termination Responsibilities 8.3.2 Return Of Assets 8.3.3 Removal Of Access Rights

Director, Information Services

Manager, Information Security

Risk Management and Audit Committee

Copyright 2010 Government of Western Australia 96294616.doc

Page

2 of 8

Department of . . .

Information Security Management Delegations

Category 9. Physical And Environmenta l Security

Section 9.1 Secure Areas

Purpose To prevent unauthorised physical access, damage, and interference to the organisations premises and information.

9.2 Equipment Security

To prevent loss, damage, theft or compromise of assets and interruption to the organisations activities.

10. Commun ications And Operations Management

10.1 Operational Procedures And Responsibilities

To ensure the correct and secure operation of information processing facilities. To implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements. To minimise the risk of systems failures. To protect the integrity of software and information.

10.2 Third Party Service Delivery Management

Sub-sections 9.1.1 Physical Security Perimeter 9.1.2 Physical Entry Controls 9.1.3 Securing Offices, Rooms, And Facilities 9.1.4 Protecting Against External And Environmental Threats 9.1.5 Working In Secure Areas 9.1.6 Public Access, Delivery, And Loading Areas 9.2.1 Equipment Siting And Protection 9.2.2 Supporting Utilities 9.2.3 Cabling Security 9.2.4 Equipment Maintenance 9.2.5 Security Of Equipment OffPremises 9.2.6 Secure Disposal Or Re-Use Of Equipment 9.2.7 Removal Of Property 10.1.1 Documented Operating Procedures 10.1.2 Change Management 10.1.3 Segregation Of Duties 10.1.4 Separation Of Development, Test, And Operational Facilities 10.2.1 Service Delivery 10.2.2 Monitoring And Review Of Third Party Services 10.2.3 Managing Changes To Third Party Services 10.3.1 Capacity Management 10.3.2 System Acceptance 10.4.1 Controls Against Malicious Code 10.4.2 Controls Against Mobile Code

Owner Director, Information Services

Operator Manager, ICT Infrastructure

Reviewer Manager, Information Security

Director, Information Services

Manager, ICT Infrastructure

Manager, Information Security

Director, Information Services

Manager, ICT Infrastructure

Manager, Information Security

Director, Information Services

Manager, ICT Infrastructure

Manager, Information Security

10.3 System Planning And Acceptance 10.4 Protection Against Malicious And Mobile Code

Director, Information Services Director, Information Services

Manager, ICT Infrastructure Manager, ICT Infrastructure

Manager, Information Security Manager, Information Security

Copyright 2010 Government of Western Australia 96294616.doc

Page

3 of 8

Department of . . .

Information Security Management Delegations

Category

Section 10.5 Back-Up

10.6 Network Security Management 10.7 Media Handling

Purpose To maintain the integrity and availability of information and information processing facilities. To ensure the protection of information in networks and the protection of the supporting infrastructure To prevent unauthorised disclosure, modification, removal or destruction of assets, and interruption to business activities. To maintain the security of information and software exchanged within an organisation and with any external entity. To ensure the security of electronic commerce services, and their secure use. To detect unauthorised information processing activities.

Sub-sections 10.5.1 Information Back-Up

Owner Director, Information Services Director, Information Services Director, Information Services

Operator Manager, ICT Infrastructure Manager, ICT Infrastructure Manager, ICT Infrastructure

Reviewer Manager, Information Security Manager, Information Security Manager, Information Security

10.6.1 Network Controls 10.6.2 Security Of Network Services 10.7.1 Management Of Removable Media 10.7.2 Disposal Of Media 10.7.3 Information Handling Procedures 10.7.4 Security Of System Documentation

10.8 Exchange Of Information

Director, Information Services 10.9.1 Electronic Commerce 10.9.2 On-Line Transactions 10.9.3 Publicly Available Information 10.10.1 Audit Logging 10.10.2 Monitoring System Use 10.10.3 Protection Of Log Information 10.10.4 Administrator And Operator Logs 10.10.5 Fault Logging 10.10.6 Clock Synchronisation 11.1.1 Access Control Policy Director, Information Services Director, Information Services

Manager, ICT Infrastructure

Manager, Information Security Manager, Information Security Manager, Information Security

10.9 Electronic Commerce Services 10.10 Monitoring

Manager, ICT Infrastructure Manager, ICT Infrastructure

11. Access Control

11.1 Business Requirement For Access Control 11.2 User Access Management

To control access to information. To ensure unauthorised user access and to prevent unauthorised access to information systems.

Director, Information Services Director, Information Services

Manager, Information Security Manager, Information Security

11.2.1 User Registration 11.2.2 Privilege Management 11.2.3 User Password Management 11.2.4 Review Of User Access Rights

Risk Management and Audit Committee Risk Management and Audit Committee

Copyright 2010 Government of Western Australia 96294616.doc

Page

4 of 8

Department of . . .

Information Security Management Delegations

Category

Section 11.3 User Responsibilities

11.4 Network Access Control

Purpose To prevent unauthorised user access, and compromise or theft of information and information processing facilities. To prevent unauthorised access to networked services.

Sub-sections 11.3.1 Password Use 11.3.2 Unattended User Equipment 11.3.3 Clear Desk And Clear Screen Policy 11.4.1 Policy On Use Of Network Services 11.4.2 User Authentication For External Connections 11.4.3 Equipment Identification In Networks 11.4.4 Remote Diagnostic And Configuration Port Protection 11.4.5 Segregation In Networks 11.4.6 Network Connection Control 11.4.7 Network Routing Control 11.5.1 Secure Log-On Procedures 11.5.2 User Identification And Authentication 11.5.3 Password Management System 11.5.4 Use Of System Utilities 11.5.5 Session Time-Out 11.5.6 Limitation Of Connection Time 11.6.1 Information Access Restriction 11.6.2 Sensitive System Isolation 11.7.1 Mobile Computing And Communications 11.7.2 Teleworking 12.1.1 Security Requirements Analysis And Specification

Owner Director, Information Services Director, Information Services

Operator Manager, Information Security Manager, ICT Infrastructure

Reviewer Risk Management and Audit Committee Manager, Information Security

11.5 Operating System Access Control

To prevent unauthorised access to operating systems.

Director, Information Services

Manager, Information Architecture

Manager, Information Security

12. Informati on Systems Acquisition, Development and Maintenance

11.6 Application And Information Access Control 11.7 Mobile Computing And Teleworking 12.1 Security Requirements Of Information Systems

To prevent unauthorised access to information held in application systems. To ensure information security when using mobile computing and teleworking facilities. To ensure that security is an integral part of information systems.

Director, Information Services Director, Information Services Director, Information Services

Manager, ICT Infrastructure Manager, ICT Infrastructure Manager, ICT Infrastructure

Manager, Information Security Manager, Information Security Manager, Information Security

Copyright 2010 Government of Western Australia 96294616.doc

Page

5 of 8

Department of . . .

Information Security Management Delegations

Category

Section 12.2 Correct Processing In Applications 12.3 Cryptographic Controls 12.4 Security Of System Files 12.5 Security In Development And Support Processes

Purpose To prevent errors, loss, unauthorised modification or misuse of information in applications. To protect the confidentiality, authenticity or integrity of information by cryptographic means. To ensure the security of system files. To maintain the security of application system software and information.

Sub-sections 12.2.1 Input Data Validation 12.2.2 Control Of Internal Processing 12.2.3 Message Integrity 12.2.4 Output Data Validation 12.3.1 Policy On The Use Of Cryptographic Controls 12.3.2 Key Management

Owner Director, Information Services Director, Information Services Director, Information Services Director, Information Services

Operator Manager, ICT Infrastructure Manager, Information Architecture Manager, Information Architecture Manager, Information Architecture

Reviewer Manager, Information Security Manager, Information Security Manager, Information Security Manager, Information Security

13. Informati on Security Incident Management

12.6 Technical Vulnerability Management 13.1 Reporting Information Security Events And Weaknesses 13.2 Management Of Information Security Incidents And Improvements

To reduce risks resulting from exploitation of published technical vulnerabilities. To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken. To ensure a consistent and effective approach is applied to the management of information security incidents.

12.5.1 Change Control Procedures 12.5.2 Technical Review Of Applications After Operating System Changes 12.5.3 Restrictions On Changes To Software Packages 12.5.4 Information Leakage 12.5.5 Outsourced Software Development 12.6.1 Control Of Technical Vulnerabilities 13.1.1 Reporting Information Security Events 13.1.2 Reporting Security Weaknesses

Director, Information Services Director, Information Services

Manager, ICT Infrastructure Manager, Information Security

Manager, Information Security Risk Management and Audit Committee Risk Management and Audit Committee

13.2.1 Responsibilities And Procedures 13.2.2 Learning From Information Security Incidents 13.2.3 Collection Of Evidence

Director, Information Services

Manager, Information Security

Copyright 2010 Government of Western Australia 96294616.doc

Page

6 of 8

Department of . . .

Information Security Management Delegations

Category 14. Business Continuity Management

Section 14.1 Information Security Aspects Of Business Continuity Management

Purpose To counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption.

15. Complia nce

15.1 Compliance With Legal Requirements

To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements.

15.2 Compliance With Security Policies And Standards, And Technical Compliance 15.3 Information Systems Audit Considerations

To ensure compliance of systems with organisational security policies and standards. To maximise the effectiveness of and to minimise interference to/from the information systems audit process.

Sub-sections 14.1.1 Including Information Security In The Business Continuity Management Process 14.1.2 Business Continuity And Risk Assessment 14.1.3 Developing And Implementing Continuity Plans Including Information Security 14.1.4 Business Continuity Planning Framework 14.1.5 Testing, Maintaining And ReAssessing Business Continuity Plans 15.1.1 Identification Of Applicable Legislation 15.1.2 Intellectual Property Rights (Ipr) 15.1.3 Protection Of Organisational Records 15.1.4 Data Protection And Privacy Of Personal Information 15.1.5 Prevention Of Misuse Of Information Processing Facilities 15.1.6 Regulation Of Cryptographic Controls 15.2.1 Compliance With Security Policies And Standards 15.2.2 Technical Compliance Checking 15.3.1 Information Systems Audit Controls

Owner Director, Information Services

Operator Manager, Information Architecture

Reviewer Risk Management and Audit Committee

Director, Information Services

Manager, Information Security

Risk Management and Audit Committee

Director, Information Services Director, Information Services

Manager, Information Security Manager, Information Security

Risk Management and Audit Committee Risk Management and Audit Committee

Copyright 2010 Government of Western Australia 96294616.doc

Page

7 of 8

Department of . . .

Information Security Management Delegations

Definitions Agency Position

The role within this set of Information Security delegations will align with the position within the Agency.
Role Director General/ Commissioner/ CEO Risk Management and Audit Committee Director, Information Services Manager, ICT Infrastructure Manager, Information Architecture Manager, Information Security General Description Head of Agency Peak agency group for risk and audit, including business continuity Responsible to head of agency for Information functions such as ICT, Libraries, Recordkeeping Responsible to Director, Information Services for networks, services, telecommunications, etc Responsible to Director, Information Services for information planning and architecture related functions Responsible to Director, Information Services for information security, review and compliance

Role Category

These model delegations focus on the information security domains within Government. The roles are based on the standard responsibility definitions (Standard Responsibility Definitions, below), with the addition of a role for reviewer to recognise the importance of audit functions. The model is simplified because each agency will have local practices and preferences for the organisational positions that are consulted and informed.
Owner Operator Reviewer The one ultimately accountable for the item Those who do the work to achieve the item Those who check that the item is performed correctly

Standard Responsibility Definitions

The standard roles for information technology and particularly information security are Responsible, Accountable, Consulted and Informed, which are referred to by the acronym RACI.
Responsible Accountable (also Approver or final Approving authority) Consulted Informed Those who do the work to achieve the task. There is typically one role with a participation type of Responsible, although others can be delegated to assist in the work required The one ultimately accountable for the correct and thorough completion of the deliverable or task, and the one to whom Responsible is accountable. In other words, an Accountable must sign off (Approve) on work that Responsible provides. There must be only one Accountable specified for each task or deliverable. Those whose opinions are sought; and with whom there is two-way communication. Those who are kept up-to-date on progress, often only on completion of the task or deliverable; and with whom there is just one-way communication.

Copyright 2010 Government of Western Australia 96294616.doc

Page

8 of 8