Cyber Security Roles
This page provides a template and guidance to assist organisations in documenting the cyber security roles associated with their system(s) built on ASD's Blueprint for Secure Cloud.
Estimated reading time: 3 minutes
Instruction
The Cyber Security Roles section of a System Security Plan (SSP) should outline the relevant managerial and leadership roles involved in managing cyber security risks and controls relating to a system within an organisation. This information should be documented according to relevant controls outlined in ASD’s ISM.
All template text refers to a typical implementation of a system built using the Blueprint, and includes reference to organisational policies, processes and technical configurations to be implemented in addition to the technical controls that may be configured using guidance in the Blueprint. Any implementation implied by the below should not be considered as prescriptive as to how organisations must scope, build, document, or assess a system.
When completing the below template, organisations should insert and update information where relevant to ensure it accurately represents the cyber security roles in their organisation. When complete, remove any grey instructional or blue guidance boxes throughout.
ASD’s ISM outlines the following key roles as required in relation to the operation of <SYSTEM-NAME>.
Chief Information Security Officer (CISO)
Applicability
ISM controls relating to the CISO role are applicable to <SYSTEM-NAME> as they require oversight of cyber security risks and controls within <ORGANISATION-NAME> and as such are applicable to this SSP.
<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>
Organisational Policies and Processes Implemented
The CISO is responsible for information security within <ORGANISATION-NAME>. They are responsible for the definition, authorisation, review, and monitoring of information security policies within the organisation in accordance with the duties outlined in the SSP Annex.
| Contact Name | Contact Phone | Contact Email |
|---|---|---|
<CISO-NAME> | <+61# ## ### ###> | <CISO-EMAIL@ORGANISATION.GOV.AU> |
<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>
Technical Controls Implemented
No technical controls are implemented in <SYSTEM-NAME> relating to the CISO’s roles and responsibilities.
<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>
System Owner
Applicability
ISM controls relating to the System Owner role are applicable to <SYSTEM-NAME> as they require system-specific governance in <ORGANISATION-NAME> and as such are applicable to this SSP.
<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>
Organisational Policies and Processes Implemented
The System Owner monitors security risks and the effectiveness of security controls for <SYSTEM-NAME> and performs or delegates relevant duties outlined in the SSP Annex.
| Contact Name | Contact Phone | Contact Email |
|---|---|---|
<SYSTEM-OWNER-NAME> | <+61# ## ### ###> | <SYSTEM-OWNER-EMAIL@ORGANISATION.GOV.AU> |
<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>
Technical Controls Implemented
No technical controls are implemented in <SYSTEM-NAME> relating to the System Owner’s roles and responsibilities.
<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>
Other Roles
ASD’s ISM outlines other roles and responsibilities that may be relevant to the operation of <SYSTEM-NAME>.
Applicability
ISM controls relating to the appropriate management of <SYSTEM-NAME> within <ORGANISATION-NAME> may be relevant to this SSP, but are not specifically required by the ISM.
Organisational Policies and Processes Implemented
Information Technology Security Advisor (ITSA)
The ITSA is responsible for managing IT Security across <ORGANISATION-NAME>.
| Contact Name | Contact Phone | Contact Email |
|---|---|---|
<ITSA-NAME> | <+61# ## ### ###> | <ITSA-EMAIL@ORGANISATION.GOV.AU> |
System Manager
The System Manager is responsible for managing the day-to-day operations of <SYSTEM-NAME> as delegated by the System Owner.
| Contact Name | Contact Phone | Contact Email |
|---|---|---|
<SYSTEM-MANAGER-NAME> | <+61# ## ### ###> | <SYSTEM-MANAGER-EMAIL@ORGANISATION.GOV.AU> |
Data Owner
Data Owners are responsible for ensuring relevant data complies with policies and regulatory requirements, and is assigned an appropriate classification as defined within the PSPF.
| Contact Name | Contact Phone | Contact Email |
|---|---|---|
<DATA-OWNER-1-NAME> | <+61# ## ### ###> | <DATA-OWNER-1-EMAIL@ORGANISATION.GOV.AU> |
<DATA-OWNER-2-NAME> | <+61# ## ### ###> | <DATA-OWNER-2-EMAIL@ORGANISATION.GOV.AU> |
<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>
Technical Controls Implemented
No technical controls are implemented in <SYSTEM-NAME> relating to these roles and responsibilities.
<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>
Related Information
Security & Governance
- None identified
Design
- None identified
Configuration
- None identified