On this page

Download the SACSF Guideline 5.0 - ITSA role and responsibilities

Purpose

South Australian (SA) Government agencies are required to appoint at least one Information Technology Security Advisor (ITSA). This guideline describes the role, responsibilities and recommended capabilities of the ITSA, including how to appoint a person to the role. It aligns with the South Australian Cyber Security Framework (SACSF) and South Australian Protective Security Framework (SAPSF).

Scope

This guideline has been developed to assist SA Government agencies to appoint an ITSA. The SACSF and SAPSF policy statements that are in line with this guideline is:

SACSF Policy Statement 1.2 Organisational Structure and Staff Responsibilities: A structure for managing cyber security must be embedded into the agency’s governance framework. Roles and responsibilities for cyber security must be formally assigned by senior leadership, demonstrating the commitment to providing suitable resources to manage the agency’s cyber security program. Personnel and contractors must be provided with information and training to support awareness of their collective responsibility to foster a positive security culture.

SAPSF GOVSEC-1 Security Governance: This policy describes how an agency’s accountable authority can establish effective security governance to protect their agency’s people, information and assets. An effective governance structure ensures employees with the appropriate knowledge and position are empowered and resourced to maintain agency security.

Appointing an ITSA

The Agency Security Executive can formally appoint an ITSA, and a Deputy ITSA if required, and provide notification of the appointment to the Cyber Security Directorate in the Office of the Chief Information Officer (OCIO) by emailing CyberSecurityOCIO@sa.gov.au.

It is recommended that agencies with more than 500 personnel dedicate 1 FTE to the ITSA role and the ITSA role is included in the job and person specification. It may be appropriate to appoint additional cyber security advisers, including a Deputy ITSA, who can fulfil the duties of ITSA in their absence.

Large agencies, or those with diverse functions or locations, may consider appointing more than one ITSA.

Role of the ITSA

The ITSA provides support and advice to senior management and agency staff on cyber security matters.

The agency chief executive may ask the ITSA to fulfil the cyber security program owner responsibilities, or other functions, identified in the South Australian Cyber Security Framework (SACSF). This decision will be based on agency requirements.

The ITSA must maintain high levels of trust, integrity and responsibility. The ITSA will provide support and independent, impartial advice to the agency security executive (ASE) and work closely with the agency security adviser (ASA).

The ITSA will be the Department of the Treasury and Finance (DTF) main contact for cyber security matters. DTF will regularly advise and consult them in relation to threats to the state government’s ICT infrastructure, systems and services.

Agencies should make sure that the person considered for the role of ITSA:

  • Is an SA Government employee.
    The position of ITSA must be held by an SA Government employee. It is recognised that an ITSA may not have extensive knowledge on all security issues and may seek guidance from external providers.
  • Has both broad business and technical knowledge.
    The ITSA should be able to provide advice on the security of ICT systems and information security matters to executives and business owners. They will also need to communicate risks in a way that all personnel can understand.
  • Has broad knowledge of current cyber security practice.
    The ITSA should have detailed knowledge of agency-specific and South Australian Government protective security policies, principles and standards. They should be provided with opportunities to maintain this knowledge.
  • Has a security clearance at the required level.
    The ITSA will need a South Australian Government security clearance of at least ‘Baseline’ level. Their clearance must be appropriate for the information or systems they need to access to do their job. Further information on clearance levels is available from the Australian Government Security Vetting Agency.
  • Has relevant experience.
    The person appointed to the ITSA position is expected to have experience in one or more of the following areas:
    • Security
    • Risk, Audit, Assurance or Compliance
    • Governance
    • Technical ICT.
  • Has no conflicting operational demands and responsibilities.
    The ITSA position should be able to offer independent and impartial advice without resourcing or financial constraints.

Responsibilities and competencies

Typical responsibilities of an ITSA include:

  • Understanding and implementing the requirements of the SACSF in line with the agency’s risk appetite and operational environment.
  • Identifying, assessing, and managing cyber security risks.
  • Incorporating security measures into projects and procurements.
  • Providing advice on information and cyber security risk management arrangements.
  • Ensuring appropriate policies and procedures are established for the protection of the agency’s digital information and systems.
  • Ensuring the agency’s ICT systems are protected against unauthorized access or compromise, and that digital information is processed and communicated in accordance with relevant laws and SA Government policies.
  • Developing a cyber security awareness program to ensure staff are aware of their cyber security obligations. This may also include providing briefings to agency employees travelling overseas.
  • Responding to and managing cyber security incidents and ensuring they are reported to the SA Government Watch Desk as required by PC042 Cyber Security Incident Management.
  • Assisting the Watch Desk during a cyber security incident as detailed in PC042 - Cyber Security Incident Management.
  • Preparing cyber security reports for the ASE or security committees.
  • Preparing the annual SACSF Attestation.
  • Coordinating or conducting cyber security reviews and audits.
  • Liaising with law enforcement and intelligence agencies, other emergency services, service providers, clients and stakeholders.

The ITSA should also have, or be given training to develop competency in the following areas:

  • Communication and business management skills.
  • Knowledge of the principles, policy statements and expectations which govern the security of government information and ICT systems.
  • Management of cyber security incidents.
  • Awareness of recognised cyber security frameworks and standards, for example:
    • Australian Government Information Security Manual (ISM)
    • ISO/IEC 27001/27002
    • NIST.