Information security internal governance guideline

  • PUBLIC

QGEA

Information security internalgovernance guideline

Final

November 2010

v1.0.0

PUBLIC

Information security internal governance guideline

  • PUBLIC

QGEA

Document details

Security classification / PUBLIC
Date of review of security classification / November 2010
Authority / Queensland Government Chief Information Officer
Author / ICT Policy and Coordination Office
Documentation status / Working draft / Consultation release /  / Final version

Contact for enquiries and proposed changes

All enquiries regarding this document should be directed in the first instance to:

Executive Director
ICT Policy & Coordination Office

Acknowledgements

This version of the Queensland Government Enterprise Architecture (QGEA) Information security internal governance guidelinewas developed and updated by the ICT Policy and Coordination Office.

Feedback was also received from a number of agencies, including members of the Information Security Reference Group, which was greatly appreciated.

Copyright

Information security internal governance guideline

Copyright © The State of Queensland (Department of Public Works) 2010

Licence

Information security internal governance guidelineis licensed under a Creative Commons Attribution 2.5 Australia licence. To view a copy of this licence, visit Permissions may be available beyond the scope of this licence. See

Information security

This document has been security classified using the Queensland Government Information Security Classification Framework (QGISCF) as PUBLIC and will be managed according to the requirements of the QGISCF.

Contents

1Introduction

1.1Purpose

1.2Audience

1.3Scope

2Background

2.1What is internal information security governance?

2.2How was this guideline derived?

3Example information security roles and responsibilities

3.1Owner

3.2Governance

3.3Custodian

3.4Administrator

3.5Users

3.6Related ICT roles and responsibilities

4Information security governance body

4.1Membership

4.2Responsibilities

4.3Authority

4.4Suggested reporting requirements

4.5Delegation

4.6Operation

4.7Review

Appendix ASuggested meeting agenda

  • Finalv1.0.0, November 2010

Page 1 of 20

  • PUBLIC

Information security internal governance guideline

  • PUBLIC

QGEA

1Introduction

1.1Purpose

This guideline:

  • outlines best practices for implementinginternal information security governance in line with Information Standard 18: Information security
  • is not mandatory and therefore agencies may choose to allocate information security roles and responsibilities differently.

1.2Audience

This document is primarily intended for individuals and groups with information security roles and responsibilities.

1.3Scope

This guideline supportsIS18.

This guideline does not address supplemental information security roles (eg. human resources) or broader information management roles and responsibilities. For information management responsibilities see the Information management roles and responsibilities guideline.

Where possible, overlap between the roles and responsibilities specified in the Information management roles and responsibilities guidelinehave been avoided. For example rather than duplicate the role of the Information asset custodian here, this is discussed solely in theInformation management roles and responsibilities guideline. However, both guidelines do discuss the roles and responsibilities of the Chief Executive Officer (CEO). This guideline should be read as specifying the information security responsibilitiesand not the broader information management responsibilities of the CEO.

2Background

2.1What is internal information security governance?

The Queensland Government information security policy framework defines internal information security governance as including:

‘… all activities related to the governance, authorisation and auditing of information security arrangements within the organisation. Roles and responsibilities relating to information security within the agency should also be defined.’

2.2How was this guideline derived?

Section 3 of this guideline is derived from the following sources:

  • The Australian Government Information Security Manual(ISM)developed by the Defence Signals Directorate under their role to provide policies and standards for Australian Government agencies to assist in the protection of official government information that is processed, stored or communicated by Australian Government systems. The Queensland Government is not bound to comply with the ISM; however it does seek to align with the ISM where practical in order to ensure consistency of practices across jurisdictions. Section 3of this guideline adopts and augments some of the roles and responsibilities defined in the ISM.
  • Information Standard 44: Information asset custodianship(IS44)
  • IS18
  • other existing standards as specified throughout this document.

3Example information security roles and responsibilities

This section provides example information security roles and responsibilities within the following categories:

  • owner – has the authority and accountability for information security and approves rules
  • governance – provides direction and endorsement; evaluates performance; manages risks and measures compliance
  • custodian – defines the rules for information security on behalf of the owner
  • administrator – implements information security rules on behalf of the custodian
  • user – follows the information security rules where required.

Figure 1Example agency specific information security roles and responsibilities

3.1Owner

3.1.1CEO[1] and delegates

The agency CEO has the authority and accountability for information security. It is the CEOs responsibility to:

  • approve information security rules
  • show leadership through awareness of their information security responsibilities
  • provide support for the development, implementation and ongoing maintenance of information security processes and infrastructure within the agency
  • ensure that the information security governance body is in operation
  • ensure that agency information security responsibilities are met.

The CEO may delegate their responsibilities to either the:

  • Chief Information Officer
  • Information Security Director
  • Information security governance body.Where this occurs, the aforementioned responsibilities fall to the chair of that body.If this occurs it is recommended that the chair of the body is an SES level officer, as this will ensure appropriate authority.

3.2Governance

IS18 requires agencies to establish and document information security governance arrangements (including roles and responsibilities). It is suggested that agencies either establish a separate information security governance body or assign responsibility to an existing body (eg. information governance body or information steering committee).
Section 4 provides implementation guidance for the information security governance body.

The implementation of information security governance arrangements is also a best practice control within AS/NZS ISO/IEC 27001:2006 Information technology – Security techniques – Information security management systems – Requirements and AS/NZS ISO/IEC 27002:2006 Information technology – Security techniques – Code of practice for information security management.

3.3Custodian

3.3.1Chief Information Security Officer (CISO)

The CISO is primarily responsible for setting information security policy. In addition the CISO may also have administrator responsibilities with regards to information security. The CISO may delegate their administrator responsibilities to members of the information security team, if a team exists. Specifically, it is the CISOs responsibility, acting on behalf of the information security governance body to:

  • coordinate communication between security and business functions
  • oversee the application of information security controls and information security risk management processes within the agency
  • report to the agency CEO (or delegate), information security governance body and others as required on matters of information security within the agency
  • develop, coordinate the implementation of, and maintain agency information security policy, plans, operations and risk management processes and setand measure performance indicators for these to assist decision making
  • ensure the agency complies with information security requirements (including coordinating tests of information security controls and compliance and maturity self assessments), thereby maintaining the security culture within the agency
  • serve as a member of the information security governance body
  • translate information security risks into business risks, thereby ensuring interest in information security from business owners within the agency
  • work with ICT projects (including those where services are to be provided by external parties) to ensure alignment with information security requirements
  • coordinate the use of external information security resources for the agency including contracting and managing the resources
  • control the information security budget and ensure ongoing funding in liaison with the information security governance body
  • oversee and coordinate the operations of the Information Security Incident Response Team (ISIRT)
  • serve as a member of the ISIRT
  • ensure that information security incidents are managed according to agency policy and process
  • be aware of all information security incidents within the agency and ensure significant information security incidents are escalated in accordance with agency procedures
  • deliver incident reports compiled by the ISIRTand compliance reports to the information security governance body
  • coordinate the development ofinformation and ICT asset disaster recovery plans within the agency to ensure that business-critical services are supported appropriately in the event of a disaster
  • oversee the development and operation of information security communication, awareness and training programs
  • communicate with ICT asset custodians and personnel to increase their awareness of applicable information security policies and standards
  • ensure that physical and personnel security controls are implemented to appropriately protect agency information
  • work with the delegate owner (accountable officer) of information assets, or their delegates and information asset custodians to ensure that information assets have been assigned appropriate information security classifications
  • provide expert advice within the agency on information security and appropriate physical and personnel security controls to protect information assets
  • coordinate the information security efforts of ICT Managers
  • obtain the accreditation of ICT assets (for more information on accreditation against the Australian Government Protective Security Policy Framework (PSPF) (which has superseded the Australian Government Protective Security Manual) and ISM, contact the Defence Signals Directorateor see theQueensland Government Public Key Infrastructure Framework).

3.4Administrator

3.4.1Information security officers

Information security officers form part of the CISOs team and fulfil administrator responsibilities as delegated by the CISO.

3.4.2Information security incident response team (ISRT)

The ISIRT is responsible for:

  • answering and logging all incoming telephone calls and emails reporting information security events and incidents
  • updating the events and incident register with new information security event and incident information
  • conducting initial diagnosis of information security events and incidents
  • classifying information security events and incidents
  • determining or making a recommendation on what action is to be taken in response to an information security event or incident
  • seeking external support to resolve an information security incident where required
  • resolving incidents and notifying the Queensland Government Information Security Incident Virtual Response Team where applicable
  • closing incidents and finalising the information security event or incident entry within the event and incident register
  • providing feedback to employees who report information security incidents or are affected by them
  • coordinating post information security incident forensic analysis
  • compiling event and incident and compliance reports for the CEO, information security governance body,CISOand external parties as required
  • recommending corrective and preventative actions in response to information security events and incidents to the CISO and information security governance body.
  • conducting other administrator duties such as backups
  • reviewing system event logs as required.

Further guidance on the ISIRT is available within the Information security event and incident management guideline (not yet approved).

3.4.3External parties

External parties are responsible for implementing:

  • their legislative responsibilities
  • their contractual responsibilities
  • the agency’s information security policies and processes.

Note that external parties may also be users.

For more information, see the Information security external party governance guideline.

3.5Users

3.5.1Employees

Employees are responsible for understanding the information security policy and processes and in particular:

  • following the relevant policies and processes for the systems that they are using (including password or other authentication mechanism requirements)
  • when using, editing or receiving information into the agency from another source:

–ensure appropriate controls are applied to security classified information

–that has not already been security classified or classified inappropriately, making a recommendation for a security classification or raising this with their manager or the information asset custodian.

  • securing unattended equipment (eg. locking computerswhen not at desk)
  • keeping a clear desk and screen[2]
  • reporting security incidents.[3]

It is the responsibility of privileged users to:

  • protect privileged account authenticators at the same security classification of the system it secures
  • not share authenticators for privileged accounts without approval
  • be responsible for all actions under their privileged accounts
  • use privileged access only to perform authorised tasks and functions
  • report all potentially information security related issues to the agency’sISIRT.

3.5.2External parties

External parties are responsible for complying with:

  • their legislative and contractual responsibilities
  • the agency’s information security policies and processes.

External parties may also be administrators.

For more information, see the Information security external party governance guideline.

3.6Related ICT roles and responsibilities

3.6.1ICT asset custodians

ICT asset custodians maintain the accreditation of ICT assets and are responsible for ensuring that associated information security documentation is developed and maintained. It is the responsibility of ICT asset custodians to:

  • seek assistance from the CISO in the performance of their information security related responsibilities
  • maintain the accreditation of ICT assets in liaison with the CISO
  • direct the implementation of changes or initiatives as required by the information security plan relating to their ICT asset
  • direct the development and maintenance of ICT asset documentation including risks, information security controls (commensurate with the security classification of the information assets therein) and operating procedures
  • ensure that information security events and incidents related to their ICT asset are detected and reported as required
  • delegate administrator responsibilities to ICT managers and officers as required.

3.6.2ICT managers

ICT managers ensure that administrator information security measures are appropriately considered and addressed within the agency. A Network Manager would be an example of an ICT manager within an agency[4].ICT managers act as a conduit between the strategic directions provided by the CISO and ICT asset custodians, and the technical efforts of the Information technology officers (see below). It is the responsibility of ICT managers to:

  • ensure information security risks are addressed in ICT projects, including where services are to be provided by external parties
  • liaise with vendors, agency purchasing and legal areas to establish mutually acceptable contracts and service level agreements that address information security issues
  • implement information security policy and controls within their area
  • serve as a member of the ISIRT as required
  • assist both ICT asset custodians and information security officers in understanding and responding to information security audit failures
  • ensure that information and ICT asset disaster recovery plans can be practically implemented within their areas.

3.6.3ICT officers

It is the ICT officers’ responsibility to ensure the technical security of ICT assets. The ICT officer has the following administrator responsibilities:

  • administer ICT asset security controls including access management, installation and configuration management, patch management and change management
  • perform vulnerability assessments on ICT assets as directed
  • locate and repair information security problems and failures
  • serve as a member of the ISIRT as required
  • produce incident and compliance reports for the ICT assets that they administer
  • manage and audit system event logsfor the ICT assets that they administer
  • implement or coordinate remediation activities required by information security audits
  • support ICT managers to ensure that information and ICT disaster recovery plans can be practically implemented within their areas
  • implement changes or initiatives relating to the ICT assets that they administer as required by the information security plan
  • communicate with ICT asset custodians and personnel to increase their awareness of applicable information security policies and standards
  • other administrator duties as delegated by the ICT manager.

An example of an ICT officer within an agency may be the network operations staff that support the Network Manager (an ICT manager).

4Information security governance body

4.1Membership

Membership of the information security governance body should reflect the size, geography and complexity of the agency. Membership should include:

  • CISO
  • representative/s from information security administration
  • representatives from across the organisation with relevant roles and responsibilities (eg. protective security, business areas, ICT, auditors, legal, human resources, risk management, business planning, information management)[5].

4.1.1Chair

It is the responsibility of the Chair of the information security governance body to:

  • lead and direct the activities of the information security governance body
  • ensure that the information security governance body operates effectively including setting meeting agendas and conducting meetings and business
  • ensure adequate induction of new members
  • determine performance standards and a program of work for the information security governance body
  • fulfil the reporting requirements of the information security governance body (see suggestions below).

4.1.2Role

The role of the information security governance body is to:

  • direct the preparation and implementation of information security policies and processes
  • evaluate and direct information security plans andinitiatives
  • review and monitor conformance to obligations and performance
  • develop information security capability within the agency.

4.2Responsibilities

The information security governance body fulfils this role by meeting themanagement and coordinationresponsibilities detailed in this section.

4.2.1Direct the preparation and implementation of information security policies and processes

It is a role of the information security body to direct the preparation and implementation of the information security policies and processes.