A NSW Government website

NSW Government
Digital NSW

Roles and responsibilities

This section outlines the roles and responsibilities an agency should allocate as part of their cyber security function. Please note that:

  • agencies have flexibility to tailor these roles to their organisational context, but all responsibilities must be allocated and performed regardless of role title
  • an agency may not have all the roles outlined below
  • these responsibilities can be allocated to roles not specifically named in the NSW Cyber Security Policy or shared among multiple roles.

Agency Heads

All Agency Heads (e.g. Commissioners, Chief Executive Officers), including the Secretary of a department, are accountable for:

  • ensuring their agency complies with the requirements of the NSW Cyber Security Policy and timely reporting on compliance with the policy
  • ensuring their agency develops, implements and maintains an effective cyber security and plan
  • determining their agency's risk appetite using the approved whole-of-government Internal Audit and Risk Management Policy
  • signing off on any Mandatory Requirements that have been assessed as not met or partially met in the assurance assessment
  • appropriately funding, resourcing, prioritising and supporting agency cyber security initiatives, including training and awareness, and continual improvement initiatives to support the NSW Cyber Security Policy
  • approving internal security policies as required.

The Secretary of a department is accountable for:

  • appointing or assigning an appropriate senior executive band officer in the agency or across the portfolio with the authority to perform the duties outlined in the NSW Cyber Security Policy – this person should be accountable for cyber security at least at the portfolio level
  • appointing or assigning a senior executive band officer with authority for Industrial Automation and Control Systems (IACS) cyber security for the agency or portfolio, if applicable
  • ensuring all agencies in their portfolio implement and maintain an effective cyber security program
  • supporting the agency's cyber security strategy and plan.

ICT & Digital Leadership Group (IDLG)

The IDLG is chaired by the NSW Government Chief Information and Digital Officer (GCIDO) and is attended by the Chief Information Officers (CIOs) in the NSW Government. The IDLG is responsible for:

  • endorsing the NSW Cyber Security Policy and any updates
  • ensuring the implementation of the NSW Cyber Security Policy across the NSW Government
  • reviewing the summarised agency/portfolio reports against the NSW Cyber Security Policy's Mandatory Requirements
  • providing leadership, support and resources for the NSW Cyber Security Policy and advocating organisational commitment to improving the cyber security culture of the agency/portfolio.

NSW Chief Cyber Security Officer (NSW CCSO)

The NSW CCSO is accountable for:

  • creating and implementing the NSW Cyber Security Strategy
  • building a cyber-aware culture across the NSW Government
  • reporting on consolidated agency compliance and maturity
  • chairing the NSW Government Cyber Security Steering Group (CSSG)
  • consulting with agencies and providing advice and assistance to the NSW Government on cyber security, including improvements to NSW Cyber Security Policy, capability and capacity
  • recommending and recording exemptions to any part of the NSW Cyber Security Policy
  • representing the NSW Government on cross-jurisdictional matters relevant to cyber security
  • assisting agencies in sharing information on security threats and cooperating on security threats and intelligence to enable management of government-wide cyber risk
  • receiving, collating and reporting on high cyber risks and monitoring cyber security incident reports across the NSW Government
  • creating and implementing the NSW Government cyber incident response arrangements
  • coordinating the NSW Government response to significant cyber incidents and cyber crises.

Chief Information Security Officers (CISOs) or Chief Cyber Security Officers (CCSOs)

All CISOs and CCSOs, or staff with those responsibilities, are responsible for:

  • defining and implementing a cyber security plan for the protection of the agency's information and systems
  • developing a cyber security strategy, architecture and risk management process, and incorporating these into the agency's current risk framework and processes
  • deciding on risk treatment strategies for cyber security within the agency when the identified risk falls outside the acceptable risk tolerance
  • implementing policies, procedures, practices and tools to ensure compliance with the NSW Cyber Security Policy
  • reviewing and providing recommendations on any exemptions to agency or portfolio information security policies and standards
  • NSW Cyber Security Policy reporting
  • investigating, responding to and reporting on cyber security incidents to the appropriate agency governance forum and Cyber Security NSW, based on severity definitions provided by Cyber Security NSW

Portfolio CISOs and CCSOs, or staff with those responsibilities are responsible for:

  • supporting agencies in their portfolio to implement and maintain an effective cyber security strategy and program (e.g. via effective collaboration and/or governance forums, advice on budgeting and resourcing and so forth)
  • managing the portfolio level cyber security budget (where applicable), and ensuring that resources are allocated to address cyber security needs
  • applying for relevant programs/funding, e.g. Digital Restart Fund, ACSC uplift programs etc.

Chief Information Officer (CIO) or Chief Operating Officer (COO)

CIOs or COOs, or staff with CIO/COO responsibilities, are accountable for:

  • working with CISOs and across their agency to implement the NSW Cyber Security Policy, including allocating sufficient resources and funding to manage the identified cyber security risks under their remit
  • implementing a cyber security strategy and plan that includes consideration of threats, risks and vulnerabilities that impact the protection of the agency’s information and systems within the agency’s cyber security risk tolerance
  • ensuring that all staff, including consultants, contractors and outsourced service providers, understand the cyber security requirements of their roles
  • defining the scope of CIO or COO responsibilities for cyber security relating to assets such as information, building management systems and IACS 
  • assisting CISOs, CCSOs or equivalent positions with their responsibilities
  • ensuring a secure-by-design approach for new initiatives and upgrades to existing systems, including legacy systems
  • ensuring all staff and providers understand their role in building and maintaining secure systems.

Information Security Manager, Cyber Security Manager or Senior Responsible Officer

Information Security Managers, Cyber Security Managers or Senior Responsible Officers are responsible for the following within their agency or portfolio:

  • managing and coordinating the response to cyber incidents, changing threats and vulnerabilities
  • developing and maintaining cyber security procedures and guidelines
  • implementing and executing controls to mitigate risks
  • providing guidance on cyber security risks introduced from business and operational change
  • managing the lifecycle of cyber security platforms, including design, deployment, ongoing operation and decommissioning
  • ensuring appropriate management of the availability, capacity and performance of cyber security hardware and applications
  • providing input and support to regulatory compliance and assurance activities and managing any resultant remedial activity
  • developing a metrics and assurance framework to measure the effectiveness of controls
  • providing day-to-day management and oversight of operational delivery. 

Information Management Officer

A portfolio or agency should have a person or persons who fulfil the role of Information Management Officer. The Information Management Officer undertakes information and records management activities to ensure all information and records are managed in accordance with the agency's record-keeping plan, policies, processes and procedures. They are responsible for:

  • acting as a focal point within their agency for all matters related to information management required to support cyber security, and
  • ensuring that a cyber incident that involves information damage or loss is escalated and reported to the appropriate information management response team in their agency.

Privacy Officer

Agencies should have a person who fulfils the role of Privacy Officer, as recommend by the Information and Privacy Commission NSW (IPC NSW).  The role is responsible for:

  • acting as point of contact with IPC NSW, the public and within the agency for all matters related to privacy and personal information
  • ensuring that privacy considerations are integrated into the agency’s overall cyber security policies, procedures and processes
  • assisting in identifying privacy impacts of new projects or proposed new legislation
  • collaborating with the cyber security team in incident response planning
  • coordinating the investigation of privacy incidents, determining the extent of the breach and coordinating notifications to affected individuals and regulatory authorities
  • assessing and managing privacy complaints.

Internal Audit

Agency internal audit teams are responsible for:

  • validating that the cyber security strategy and plan meets the agency’s business goals and objectives, and ensuring the plan supports the agency’s cyber security strategy
  • regularly reviewing their agency’s adherence to the NSW Cyber Security Policy and cyber security controls
  • providing assurance regarding the effectiveness of cyber security controls
  • reporting results of audit and assurance activities to the Audit and Risk Committee and Agency Head, as required. 

Risk

Agency risk teams are responsible for:

  • aligning cyber security with organisational goals and objectives
  • conducting risk assessments to identify and evaluate potential cyber security threats and vulnerabilities
  • managing cyber security risks within an agency and those associated with third-party service providers
  • integrating cyber security into the agency’s overall risk management framework and risk appetite
  • meeting with the portfolio CISO to ensure cyber risk frameworks are aligned with the enterprise risk framework.

Agency staff

Agency staff should contribute to an agency’s cyber security culture. Responsibilities include:

  • practising secure password habits
  • identifying and reporting cyber incidents and cyber threats
  • completing cyber security awareness programmes and role-based training
  • safeguarding classified information 
  • staying informed about cyber security best practices.

Third-party service providers

Agencies are responsible for managing cyber security requirements and risks posed by third-party service providers. The scope of this responsibility applies at a minimum to; a) ICT service providers (including third-party NSW Government shared service providers), and b) other third-party service providers which process or store an agency’s sensitive information.

Mandatory Requirement 1.10 sets out minimum expectations for third-party security risk management including detailed requirements for use of contract clauses, monitoring and enforcement for in-scope third-party service providers.

Agency responsibilities include:

  • ensuring third-party risks are considered in enterprise risk management processes
  • conducting regular management of third-party risks through ongoing risk-based reviews to verify compliance with contractual agreements and security measures
  • establishing and maintaining a comprehensive inventory of all external third-party service providers engaged
  • ensuring responsibilities in contracts extend to meeting cyber security requirements by defining risk-based tolerances and processes to manage when a third-party fails to comply with the agreed security requirements in contracts (e.g. break clauses) and offboarding if non-compliance continues
  • dependent on the risks associated with a particular product or service, agencies may consider including the following in new procurement processes and contracts, in accordance with NSW Government’s ICT Purchasing Framework:
    • accountability for suspected or actual security incidents or breaches to any data, systems infrastructure or processes used in its arrangement, and ensuring all incidents are reported immediately, enabling timely protective measures
    • documenting controls and data segmentation in contracts or service level agreements with the provider, relative to the data classification of the information and systems that are to be covered and the service being provided
    • requiring access control processes safeguarding agency data confidentiality, integrity and availability by limiting access to authorised individuals
    • prioritising security for users accessing sensitive data, including mandating multi-factor authentication, significantly reducing unauthorised access risks
    • data sovereignty upon contractual negotiations, including data hosting locations and locations of support services offered by the third-party service provider
    • privacy provisions when third-party service providers capture, hold or process personal information
    • where privileged access to systems is required to perform services, third-party service providers will be required to follow documented agency processes for requesting access each time it is required, and agencies should consider revoking access whenever it is not in use.

Existing contracts may not have appropriate contractual mechanisms to enable agencies to effectively exercise their responsibilities in relation to this section. Where this is the case, the agency may be subject to increased risks through the inability to require or contractually enforce requirements related to cyber security (e.g. incident notification, obligations for implementation of appropriate security protections to protect services and customer data, termination of contracts due to security considerations and/or appropriate assurance of the performance of security obligations in the contract). For legacy contracts, agencies are expected to take a risk-based approach to managing these third-party services. This includes ensuring that the relevant risks and mitigation strategies are appropriately documented, managed (and where required, escalated) in line with the agency’s risk management framework.

Where agencies require third-party service providers to assist with their implementation of the NSW Cyber Security Policy, agencies should ensure they have the following in place to protect government systems outsourced to them or that they have access to.

  • Mandatory Requirement 1.10.1 – Establish and maintain an inventory of third-party service providers, including ICT service providers.
  • Mandatory Requirement 1.10.2 – Ensure there is a contractually supported process for third-party service providers to notify the agency of suspected or actual security incidents, as well as data breaches (noting this will vary based on risk profile and risk appetite).
  • Mandatory Requirement 1.10.3 – Have processes to monitor and assess adherence of third-party service providers to cyber security requirements, including using assurance reports, audits, test results or other forms of evaluations.
  • Mandatory Requirement 1.10.4 – Include clauses in contracts with third-party service providers for cyber security requirements and break clauses associated with failure to meet security requirements.
  • Mandatory Requirement 3.2.1 – Establish a process for granting, maintaining and revoking access for agency systems, applications and information to ensure authorised access only.
  • Mandatory Requirement 3.5.2 – Multi-factor authentication is used to authenticate users to third-party online services that process, store or communicate their entity’s sensitive data.
  • Mandatory Requirement 3.5.3 – Multi-factor authentication (where available) is used to authenticate users to third-party online services that process, store or communicate their entity’s non-sensitive data.
  • Mandatory Requirement 3.5.5 – Multi-factor authentication is used to authenticate users to third-party online customer services that process, store or communicate their entity’s sensitive customer data.

This does not prevent other contractual obligations being imposed.

NSW Government shared service providers

Any departments, agencies or statutory authorities that provide services covered by the NSW Cyber Security Policy must provide reporting information to entities using their services to ensure accountability and enable effective third-party risk management. Responsibilities include reporting:

  • security to all affected entities whose interests or security arrangements could be affected by the outcome of unmitigated security risks, security incidents or vulnerabilities, in the shared service provider’s implementation of the NSW Cyber Security Policy, and
  • any Mandatory Requirements that are not met or partially met, considering compensating controls.