Information Technology Security Managers (ITSM) provide information security leadership and management within their agency.

]]> This section covers the role of an ITSM with respect to information security within an agency.

]]> ITSMs are executives within an agency that act as a conduit between the strategic directions provided by the CISO and the technical efforts of systems administrators. The main area of responsibility of an ITSM is that of the administrative and process controls relating to information security within the agency.

]]> When agencies outsource their ICT services, ITSMs should be independent of any company providing ICT services. This will prevent any conflict of interest for an ITSM in conducting their duties.

]]> Ensure that the agency has a point of presence at sites to assist with monitoring information security for systems and responding to any information security incidents.

]]> Agencies MUST appoint at least one ITSM within their agency.

]]> ITSMs MUST be:

  • cleared for access to all classified information processed by the agency’s systems; and
  • able to be briefed into any compartmented information on the agency’s systems.
]]> Where an agency is spread across a number of geographical sites, it is recommended that the agency SHOULD appoint a local ITSM at each major site.

]]> The ITSM role SHOULD be undertaken by personnel with an appropriate level of authority and training based on the size of the agency or their area of responsibility within the agency.

]]> ITSMs SHOULD NOT have additional responsibilities beyond those needed to fulfil the role as outlined within this manual.

]]> As ITSMs undertake operational management of information security within an agency they can provide valuable input to the development of the information security program by the CISO.

]]> ITSMs SHOULD work with the CISO to develop an information security program within the agency.

]]> ITSMs SHOULD undertake and manage projects to address identified security risks.

]]> As ITSMs have knowledge of all aspects of information security they are best placed to work with ICT projects within the agency to identify and incorporate appropriate information security measures.

]]> ITSMs MUST be responsible for assisting system owners to obtain and maintain the accreditation of their systems.

]]> ITSMs SHOULD identify systems that require security measures and assist in the selection of appropriate information security measures for such systems.

]]> ITSMs SHOULD consult with ICT project personnel to ensure that information security is included in the evaluation, selection, installation, configuration and operation of IT equipment and software.

]]> ITSMs SHOULD work with agency enterprise architecture teams to ensure that security risk assessments are incorporated into system architectures and to identify, evaluate and select information security solutions to meet the agency’s security objectives.

]]> ITSMs SHOULD be included in the agency’s change management and change control processes to ensure that risks are properly identified and controls are properly applied to manage those risks.

]]> ITSMs SHOULD notify the Accreditation Authority of any significant change that may affect the accreditation of that system.

]]> The CISO will coordinate the use of external information security resources to the agency, whilst ITSMs will be responsible for establishing contracts and service-level agreements on behalf of the CISO.

]]> ITSMs SHOULD liaise with vendors and agency purchasing and legal areas to establish mutually acceptable information security contracts and service-level agreements.

]]> The CISO will set the strategic direction for information security within the agency, whereas ITSMs are responsible for managing the implementation of information security measures within the agency.

]]> ITSMs MUST be responsible for ensuring the development, maintenance, updating and implementation of Security Risk Management Plans (SRMPs), Systems Security Plans (SSP) and any Standard Operating Procedures (SOPs) for all agency systems.

]]> ITSMs SHOULD conduct security risk assessments on the implementation of new or updated IT equipment or software in the existing environment and develop treatment strategies if necessary.

]]> ITSMs SHOULD select and coordinate the implementation of controls to support and enforce information security policies.

]]> ITSMs SHOULD provide leadership and direction for the integration of information security strategies and architecture with agency business and ICT strategies and architecture.

]]> ITSMs SHOULD provide technical and managerial expertise for the administration of information security management tools.

]]> As ITSMs are responsible for the operational management of information security projects and functions within their agency, they will be aware of their funding requirements and can assist the CISO to develop information security budget projections and resource allocations.

]]> ITSMs SHOULD work with the CISO to develop information security budget projections and resource allocations based on short-term and long-term goals and objectives.

]]> To ensure the CISO remains aware of all information security issues within their agency, and can brief their agency head when necessary, ITSMs will need to provide regular reports on policy developments, proposed system changes and enhancements, information security incidents and other areas of particular concern to the CISO.

]]> ITSMs SHOULD coordinate, measure and report on technical aspects of information security management.

]]> ITSMs SHOULD monitor and report on compliance with information security policies, as well as the enforcement of information security policies within the agency.

]]> ITSMs SHOULD provide regular reports on information security incidents and other areas of particular concern to the CISO.

]]> ITSMs SHOULD assess and report on threats, vulnerabilities, and residual security risks and recommend remedial actions.

]]> As system owners may not understand the results of audits against their systems ITSMs will need to assist them in understanding and responding to reported audit failures. ITSM's should also refer to 5.8 Independent Assurance Reports.  

]]> ITSMs SHOULD assist system owners and security personnel in understanding and responding to audit failures reported by auditors.

]]> Whilst the CISO will coordinate the development of disaster recovery policies and standards within the agency, ITSMs will need to guide the selection of appropriate strategies to achieve the direction set by the CISO.

]]> ITSMs SHOULD assist and guide the disaster recovery planning team in the selection of recovery strategies and the development, testing and maintenance of disaster recovery plans.

]]> The CISO will oversee the development and operation of information security awareness and training programs within the agency. ITSMs will arrange delivery of that training to personnel within the agency.

]]> ITSMs SHOULD provide or arrange for the provision of information security awareness and training for all agency personnel.

]]> ITSMs SHOULD develop technical information materials and workshops on information security trends, threats, good practices and control mechanisms as appropriate.

]]> ITSMs will often have an extensive knowledge of information security topics and can provide advice for the information security steering committee, change management committee and other agency and inter-agency committees.

]]> ITSMs SHOULD maintain a current and up-to-date security knowledge base comprising of a technical reference library, security advisories and alerts, information on information security trends and practices, and relevant laws, regulations, standards and guidelines.

]]> ITSMs SHOULD provide expert guidance on security matters for ICT projects.

]]> ITSMs SHOULD provide technical advice for the information security steering committee, change management committee and other agency and inter-agency committees as required.

]]> ITSMs are generally considered the information security experts within an agency and as such their contribution to improving the information security of systems, providing input to agency ICT projects, assisting other security personnel within the agency, contributing to information security training and responding to information security incidents is a core aspect of their work.

]]> An ITSM is likely to have the most up to date and accurate understanding of the threat environment relating to systems. As such, it is essential that this information is passed to system owners to ensure that it is considered during accreditation activities.

]]> The ITSM SHOULD keep the CISO and system owners informed with up-to-date information on current threats.

]]>