Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Current »

Role

Information Security Officer

Description

Ensures Platform is safe, secure and private, and that the Voluntarily service is resilient and sustainable.

Incumbent

Andrew Watkins (pro tem)

Accountable for

Ensure all information assets associated with Voluntarily platform and services are secure from loss or damage. That development and operational processes meet recommended security practices

Responsible for

Information Security and privacy policy, processes, design and implementation.

Owner of

Asset and Risk registers. Key & Secret management systems.

Consulted on

Functional requirements, Customer experience, Identity management, Systems design and implementation, Operational deployment and risk management.

Informed of

Incidents

SFIA

http://sfia.niwa.co.nz/#/IRMG-5+IRMG-6+SCTY-5+SCTY-6+INAS-6+BURM-5+COPL-5+SFEN-5+SCAD-5+SCAD-6+PENT-5+PENT-6+DGFS-5

Strategy and architecture

Information strategy

Information management - IRMG

The overall governance of how all types of information, structured and unstructured, whether produced internally or externally, are used to support decision-making, business processes and digital services. Encompasses development and promotion of the strategy and policies covering the design of information structures and taxonomies, the setting of policies for the sourcing and maintenance of the data content, and the development of policies, procedures, working practices and training to promote compliance with legislation regulating all aspects of holding, use and disclosure of data.

Level 5

Drafts and maintains the policy, standards and procedures for compliance with relevant legislation. Understands the implications of information, both internal and external, that can be mined from business systems and elsewhere. Makes business decisions based on that information, including the need to make changes to systems. Reviews proposals for new digital initiatives and provides specialist advice on information management, including advice on and promotion of collaborative working and assessment and management of information-related risk. Creates and maintains an inventory of information assets, which are subject to relevant legislation. Prepares, reviews and submits periodic notification of registration details to the relevant regulatory authorities. Ensures that formal information access requests and complaints are dealt with according to approved procedures.

Level 6

Maintains and communicates the organisation's strategy for managing information, ensuring that uniformly recognised and accepted data definitions are developed and applied throughout the organisation. Ensures that the business processes and information required to support the organisation are defined and devises appropriate standards, processes and data architectures. Identifies the impact of any relevant statutory, internal or external regulations on the organisation's use of information and develops strategies for compliance. Coordinates information resources to support digital services and analytics, whilst maintaining the principles of professional standards, accountability, openness, equality and diversity and clarity of purpose. Implements systems and controls to measure performance, and manage risk.

Information security - SCTY

The selection, design, justification, implementation and operation of controls and management strategies to maintain the security, confidentiality, integrity, availability, accountability and relevant compliance of information systems with legislation, regulation and relevant standards.

Level 5

Provides advice and guidance on security strategies to manage identified risks and ensure adoption and adherence to standards. Obtains and acts on vulnerability information and conducts security risk assessments, business impact analysis and accreditation on complex information systems. Investigates major breaches of security, and recommends appropriate control improvements. Contributes to development of information security policy, standards and guidelines.

Level 6

Develops and communicates corporate information security policy, standards and guidelines. Contributes to the development of organisational strategies that address information control requirements. Identifies and monitors environmental and market trends and pro-actively assesses impact on business strategies, benefits and risks. Leads the provision of authoritative advice and guidance on the requirements for security controls in collaboration with experts in other functions e.g. legal, technical support. Ensures architectural principles are applied during design to reduce risk and drives adoption and adherence to policy, standards and guidelines.

Information assurance - INAS

The protection of integrity, availability, authenticity, non-repudiation and confidentiality of information and data in storage and in transit. The management of risk in a pragmatic and cost effective manner to ensure stakeholder confidence.

Level 6

Develops corporate Information assurance policy, standards and guidelines. Contributes to the development of organisational strategies that address the evolving business risk and information control requirements. Drives adoption of and adherence to policies and standards through the provision of expert advice and guidance in order to ensure architectural principles are applied, requirements are defined and rigorous security testing is applied. Monitors environmental and market trends and pro-actively assesses impact on business strategies, benefits and risks.

Business strategy and planning

Business risk management - BURM

The planning and implementation of organisation-wide processes and procedures for the management of risk to the success or integrity of the business, especially those arising from the use of information technology, reduction or non-availability of energy supply or inappropriate disposal of materials, hardware or data.

Level 5

Carries out risk assessment within a defined functional or technical area of business. Uses consistent processes for identifying potential risk events, quantifying and documenting the probability of occurrence and the impact on the business. Refers to domain experts for guidance on specialised areas of risk, such as architecture and environment. Co-ordinates the development of countermeasures and contingency plans.

Technical strategy and planning

Continuity management - COPL

The provision of service continuity planning and support. This includes the identification of information systems which support critical business processes, the assessment of risks to those systems' availability, integrity and confidentiality and the co-ordination of planning, designing, testing and maintenance procedures and contingency plans to address exposures and maintain agreed levels of continuity. This function should be performed as part of, or in close cooperation with, the function which plans business continuity for the whole organisation.

Level 5

Owns the service continuity planning process and leads the implementation of resulting plans. Coordinates the identification by specialists across the organisation of information and communication systems which support the critical business processes, and the assessment of risks to the availability, integrity, and confidentiality of those systems. Evaluates the critical risks associated with these systems and identifies priority areas for improvement. Coordinates the planning, designing, testing of maintenance procedures and contingency plans to address exposure to risk and ensure that agreed levels of continuity are maintained.

Development and implementation

Systems development

Safety engineering - SFEN

The application of appropriate methods to assure safety during all lifecycle phases of safety-related systems developments, including maintenance and re-use. These include safety hazard and risk analysis, safety requirements specification, safety-related system architectural design, formal method design, safety validation and verification, and safety case preparation.

Level 5

Identifies and analyses hazards and contributes to the identification and evaluation of risk reduction measures, ensuring these are adequately documented. Specifies safety-related systems architectures up to the highest safety integrity levels. Develops and maintains project safety assurance plans, monitors compliance and ensures that safety assurance evidence is gathered for safety case preparation.

Delivery and operation

Service operation

Security administration - SCAD

The provision of operational security management and administrative services. Typically includes the authorisation and monitoring of access to IT facilities or infrastructure, the investigation of unauthorised access and compliance with relevant legislation.

Level 5

Monitors the application and compliance of security administration procedures and reviews information systems for actual or potential breaches in security. Ensures that all identified breaches in security are promptly and thoroughly investigated and that any system changes required to maintain security are implemented. Ensures that security records are accurate and complete and that request for support are dealt with according to set standards and procedures. Contributes to the creation and maintenance of policy, standards, procedures and documentation for security.

Level 6

Develops policies, standards, processes, guidelines for ensuring the physical and electronic security of automated systems. Ensures that the policy and standards for security administration are fit for purpose, current and are correctly implemented. Reviews new business proposals and provides specialist advice on security issues and implications.

Penetration testing - PENT

The assessment of organisational vulnerabilities through the design and execution of penetration tests that demonstrate how an adversary can either subvert the organisation's security goals (e.g. the protection of specific Intellectual Property) or achieve specific adversarial objectives (e.g. establishment of a covert Command and Control infrastructure). Pen Test results provide deeper insight into the business risks of various vulnerabilities.

Level 5

Coordinates and manages planning of penetration tests, within a defined area of business activity. Delivers objective insights into the existence of vulnerabilities, the effectiveness of defences and mitigating controls - both those already in place and those planned for future implementation. Takes responsibility for integrity of testing activities and coordinates the execution of these activities. Provides authoritative advice and guidance on the planning and execution of vulnerability tests. Defines and communicates the test strategy. Manages all test processes, and contributes to corporate security testing standards.

Level 6

Takes a comprehensive approach to seeking vulnerabilities across the full spectrum of organisation policies, processes, and defences in order to improve organisational readiness, improve training for defensive practitioners, and inspect current performance levels. Determines testing policy, and owns the supporting processes. Takes responsibility for the management of all vulnerability testing activities within the organisation. Assesses and advises on the practicality of testing process alternatives. Initiates improvements to test processes and directs their implementation. Assesses suppliers' development and testing capabilities. Manages client relationships with respect to all testing matters.

Skills and quality

Quality and conformance

Digital forensics - DGFS

The collection, processing, preserving, analysing, and presenting of computer-related evidence in support of security vulnerability mitigation and/or criminal, fraud, counterintelligence, or law enforcement investigations.

Level 5

Conducts investigations to correctly gather, analyse and present digital evidence to both business and legal audiences. Collates conclusions and recommendations and presents forensics findings to stakeholders. Contributes to the development of policies, standards and guidelines.

  • No labels