DOC

ASA and ITSA Functions and Competencies guidelines [DOC

By Linda Harper,2014-07-11 10:40
9 views 0
ASA and ITSA Functions and Competencies guidelines [DOC

    Protective security governance guidelines Agency security adviser and IT security adviser

    functions and competencies

     Approved

    13 September 2011

    Version 1.0

? Commonwealth of Australia 2011

    All material presented in this publication is provided under a Creative Commons Attribution 3.0 Australia (http://creativecommons.org/licenses/by/3.0/au/deed.en ) licence. For the avoidance of doubt, this means this licence only applies to material as set out in this document.

    The details of the relevant licence conditions are available on the Creative Commons website (accessible using the links provided) as is the full legal code for the CC BY 3.0 AU licence (http://creativecommons.org/licenses/by/3.0/legalcode ).

    Use of the Coat of Arms

    The terms under which the Coat of Arms can be used are detailed on the It's an Honour (http://www.itsanhonour.gov.au/coat-arms/index.cfm) website.

    Contact us

    Inquiries regarding the licence and any use of this document are welcome at: Business Law Branch

    Attorney-General’s Department

    3-5 National Cct

    BARTON ACT 2600

    Telephone: (02) 6141 6666

    copyright@ag.gov.au

Document details

    Security classification Unclassified

    Dissemination limiting marking Publicly available

Date of security classification review July 2013

    Authority Protective Security Policy Committee

    Author Protective Security Policy Section

     Attorney-General’s Department

    Document status Approved by PSPC 13 September 2011

    i

Contents

    1. Introduction ............................................................................................................. 1

    1.1 Purpose .............................................................................................................. 1 1.2 Audience ............................................................................................................ 1 1.3 Scope .................................................................................................................. 1

    1.3.1 Use of specific terms in these guidelines ......................................................... 1 2. Background .............................................................................................................. 2

    2.1 Why were these Guidelines developed? ............................................................. 2 2.2 Relationship to other documents ........................................................................ 2 2.3 How are these guidelines structured? ................................................................. 2 3. ASA and ITSA roles ................................................................................................... 3

    3.1 Authority of the ASA and ITSA positions .............................................................. 3 4. ASA functions and competencies ............................................................................. 4

    4.1 ASA functions ..................................................................................................... 4 4.2 ASA competencies .............................................................................................. 5

    4.2.1 Conduct of investigations ............................................................................... 3 5. ITSA functions and competencies ............................................................................. 7

    5.1 ITSA functions ..................................................................................................... 7 5.2 ITSA competencies.............................................................................................. 7

    5.2.1 Conduct of investigations 错误;未定义书签。Error! Bookmark not defined.

    6. Use of specialist service providers ............................................................................ 9

    6.1 External training providers .................................................................................. 9

    ii

Amendments

    No. Location Amendment

    1.

    2.

    3.

    iii

1. Introduction

    1.1 Purpose

    The PSPF Protective security governance guidelines Agency security adviser and IT security

    adviser functions and competencies identify better practice and provide advice to agencies

    to assist them in selecting and developing the skills of agency security advisers (ASAs) and IT security advisers (ITSAs).

    1.2 Audience

    These guidelines apply to:

    ; Agency senior management particularly the Senior Executive Service officer

    responsible for security

    ; ASAs and ITSAs

    ; other agency security management personnel, and

    ; contracted protective security management service providers.

    1.3 Scope

    These guidelines amplify the Protective Security Policy Framework (PSPF) Governance 4.5

    Developing a security culture relating to the functions and competencies identified to fulfil the roles of ASA and ITSA within agencies. These guidelines provide better practice guidance to the PSPF mandatory requirements GOV 2 and GOV 3.

    Agencies are responsible for determining how they will fulfil the functions identified in these guidelines. The functions may be undertaken using personnel in other areas of the agency. 1.3.1 Use of specific terms in these guidelines

    ‘Service provider’ refers to a contractor to a government agency and/or sub-contractors to

    the agency’s contractor.

    In these guidelines the use of the terms:

    ; ‘need to’ refers to a legislative requirement that agencies must meet

    ; ‘are required to’ or ‘is required to’ refers to a control:

    - to which agencies cannot give a policy exception, or

    - used in other protective security documents that set controls.

    ; ‘are to’ or ‘is to’ are directions required to support compliance with the mandatory

    requirements of the physical security core policy, and

    ; ‘should’ refers to better practice; agencies are expected to apply better practice

    unless there is a reason based on their risk assessment to apply alternative controls. For details on policy exceptions see the PSPF Australian Government Physical Security

    Management Protocol (section 1.4).

    1

2. Background

    2.1 Why were these Guidelines developed?

    The PSPF Protective security governance guidelines Agency security adviser and IT security

    adviser functions and competencies were developed to assist agency senior managers in selecting and developing ASAs and ITSAs. These guidelines also identify to ASAs and ITSAs areas where personal development may be beneficial to them and their agencies. 2.2 Relationship to other documents

    These Guidelines explain mandatory requirements GOV 2 and GOV 3 which require agencies to appoint staff to be responsible for day-to-day performance of protective security and ICT systems security functions.

    2.3 How are these guidelines structured?

    The guidelines are broadly divided into four sections:

    ; ASA and ITSA roles and authority

    ; ASA functions and competencies

    ; ITSA functions and competencies, and

    ; use of outsourced service providers.

    2

3. ASA and ITSA roles

    The ASA and ITSA functions are distinct and separate roles. The competencies identified to perform each role would normally mean that separate specialist staff are appointed to each role. Smaller agencies may appoint the same person to be responsible for the ASA and ITSA functions, where they contract in specialist advisers.

    If appropriate, agencies can also appoint additional staff to help the ASA and ITSA perform their functions. The ASA and ITSA remain responsible for the management of the identified functions. In order to meet their responsibilities, the ASA and ITSA should develop a detailed understanding of their agency’s business processes and outcomes.

    By working together closely, the ASA and ITSA should ensure that any physical, information or personnel security measures are complementary, promote security-in-depth, and achieve the agency’s security objectives.

    3.1 Authority of the ASA and ITSA positions

    ASA and ITSA positions should be at a level that only requires broad direction in terms of objectives, mission or functions. Agencies should consider outputs by the ASA and ITSA as technically authoritative, and their decisions should have moderate or significant corporate impacts. ASAs and ITSAs should hold delegations giving them final authority to undertake specific action in line with the policy of the agency, or to review previous actions or decisions in the work area.

    Staff appointed to ASA and ITSA positions are expected to have experience in the field related to their work area. Depending on the size of the agency and/or complexity of the agency’s security requirements, the ASA and ITSA may need extensive experience and substantial or higher knowledge in their respective fields of expertise. In every case they will have, or are to quickly gain, a comprehensive knowledge of the relevant Australian Government protective security policies.

    In large agencies the ASA and ITSA positions may have broader management responsibilities. In these situations where the ASA or ITSA is not a security specialist, the agency’s security

    management structure is to include officers with the required specialist skills to support the ASA or ITSA.

    3.1.1 Conduct of investigations

    ASAs who conduct or supervise fraud investigations are to be appropriately qualified in accordance with the Commonwealth Fraud Control GuidelinesMarch 2010 and the

    Australian Government Investigation Standards.

    ASAs who investigate major security incidents should comply with the practices and procedures specified in the Australian Government Investigation Standards, and follow the

    PSPF Guidelines to Reporting Incidents and Conducting Security Investigations.

    ITSAs who undertake investigations of ICT systems to recover evidence for investigations are to work in conjunction with, or be, a qualified investigator.

    See PSPF Guidelines to Reporting Incidents and Conducting Security Investigations

    appointing investigators.

    3

4. ASA functions and competencies

    4.1 ASA functions

    ASAs play a central role in assisting agency heads meet their obligation to have in place effective protective security programs that ensure their agencies’ capacity to function. As a security professional the ASA is integral in developing, implementing and monitoring agency security procedures and systems.

    The ASA helps senior management analyse the agency’s security environment and plan measures to counter unacceptable security risks. The ASA should establish good networks and relations with key areas within their agency to enable them to understand their agency’s business functions and vulnerabilities, and is accessible to staff to discuss any security issues or concerns

    The ASA leads the development of a culture that promotes staff valuing, protecting and using agency information and assets correctly.

    The ASA is responsible for the day-to-day management of protective security measures within an agency to ensure:

    ; the agency’s security practices and procedures comply with the law, Australian

    Government policies, and agency specific policies and procedures, and

    ; the security outcomes specified in the agency security plan are being achieved. The functions of an ASA, or their supporting organisation, can include any or all of the following:

    ; manage the agency protective security staff

    ; develop agency security plans, policies and procedures

    ; act as the principal adviser on security risk management for the agency

    ; provide security advice to his or her own and other agencies

    ; prepare security reports

    ; coordinate and conduct security audits

    ; liaise with ICT staff on computer and communications security

    ; manage the agency’s personnel security program, including:

    - develop and conduct security awareness training programs

    - provide briefings and advice to agency personnel, including briefings to staff

    located or travelling overseas

    - manage the personnel security aftercare program

    ; liaise with and manage security contractors in the delivery of security services

    including, but not limited to:

    - Security Construction and Equipment Committee (SCEC) endorsed consultants

    - security industry specialists (e.g. CCTV, EACS, TSCM, etc.)

    - guarding

    - safehand and overnight courier services

    4

    - secure destruction services, and

    - locksmithing services.

    ; undertake strategic planning for agency protective security including the

    preparation of:

    - advice for new or green-field sites, and

    - security budgets

    ; respond to and/or manage security incidents

    ; manage simple security, fraud and administrative investigations, or escalate

    complex investigations to the relevant authority(s), see Conduct of investigations

    ; develop and maintain external and internal security related networks, and

    ; liaise with law enforcement and intelligence agencies, other emergency services,

    agency service providers, clients and stakeholders.

    In addition, to ensure that security measures are considered in other agency plans and/or training development programs, the ASA is expected to contribute to the:

    ; agency business continuity plan (BCP)

    ; fraud awareness training program, and

    ; agency fraud control plan.

    4.2 ASA competencies

    The ASA, or their supporting organisation, should possess, or be given suitable training to develop, competency in the following areas (as relevant to each agency):

    ; comprehensive knowledge of the Australian Government Protective Security Policy

    Framework

    ; protective security technical competence in:

    - physical security

    - personnel security aftercare, and

    - information security

    ; security risk assessment and management, including cost-benefit analysis

    ; developing and delivering security awareness training

    ; security incident investigations, and

    ; generic management competencies including:

    - managing staff

    - managing contracts

    - developing policy, and

    - developing and administering budgets.

    While the ASA may not be responsible for business continuity management or fraud control, he or she should understand these processes to contribute to the development of the BCP and the fraud control plan.

    5

    Occupants of dedicated, full-time ASA positions should be qualified to at least the Diploma of Government (Security), or equivalent. Where the ASA function is not a full-time role, the ASA should be qualified to the Certificate IV in Government (Security) level. Specialist security staff assisting the ASA should hold tertiary qualifications of at least a Certificate III in their specialisation.

    ASAs with current experience in security management may be able to get recognition of prior learning though a Registered Training Organisation (RTO). See External training

    providers.

    6

Report this document

For any questions or suggestions please email
cust-service@docsford.com