Information security (restructured) SCTY

(modified)

Defining and operating a framework of security controls and security management strategies.

Guidance notes

(new)

The purpose of security controls and management strategies is to... 

  • maintain the security, confidentiality, integrity, availability, accountability of information systems
  • ensure information systems comply with legislation, regulation and relevant standards

Activities include but not limited to...

  • selecting, adopting and adapting security control frameworks
  • designing, justifying and implementing security management strategies

Examples of types of security controls include...

  • physical controls 
  • procedural or administrative controls 
  • technical or logical controls 
  • legal and regulatory or compliance controls 

These activities are typically performed in collaboration with specialists in other areas such as - but not limited to - legal, technical infrastructure, audit, architecture, software engineering.

Information security (restructured): Level 7

(modified)

Directs the development, implementation, delivery and support of an enterprise information security strategy aligned to the business strategy. Ensures compliance between business strategies and information security. Leads the provision of information security expertise, guidance and systems needed to execute strategic and operational plans. Secures organisational resources to execute the information security strategy.

Information security (restructured): Level 6

(modified)

Develops and communicates corporate information security policy, standards and guidelines. Ensures architectural principles are applied during design to reduce risk. Drives adoption and adherence to policy, standards and guidelines. Contributes to the development of organisational strategies that address information control requirements. Identifies and monitors environmental and market trends and pro-actively assesses impact on business strategies, benefits and risks. Leads the provision of authoritative advice and guidance on the requirements for security controls in collaboration with subject matter experts.

Information security (restructured): Level 5

(unchanged)

Provides advice and guidance on security strategies to manage identified risks and ensure adoption and adherence to standards. Obtains and acts on vulnerability information and conducts security risk assessments, business impact analysis and accreditation on complex information systems. Investigates major breaches of security, and recommends appropriate control improvements. Contributes to development of information security policy, standards and guidelines.