Embed Size (px)
Citation preview
ICT Policy and Coordination OfficeDepartment of Public Works
Queensland Government Enterprise Architecture
QGEA
Document details
Security classification PUBLIC
Date of review of security classification
November 2010
Authority Queensland Government Chief Information Officer
Author ICT Policy and Coordination Office
Documentation status Working draft Consultation release Final version
Contact for enquiries and proposed changesAll enquiries regarding this document should be directed in the first instance to:
Executive DirectorICT Policy & Coordination [email protected]
AcknowledgementsThis version of the Queensland Government Enterprise Architecture (QGEA) Information security internal governance guideline was developed and updated by the ICT Policy and Coordination Office.
Feedback was also received from a number of agencies, including members of the Information Security Reference Group, which was greatly appreciated.
Copyright
Information security internal governance guideline
Copyright © The State of Queensland (Department of Public Works) 2010
Licence
Information security internal governance guideline is licensed under a Creative Commons Attribution 2.5 Australia licence. To view a copy of this licence, visit http://creativecommons.org/licenses/by/2.5/au. Permissions may be available beyond the scope of this licence. See www.qgcio.qld.gov.au.
Information security internal governance guidelineFinal
November 2010
v1.0.0
PUBLIC
Final v1.0.0, November 2010 Page 2 of 21 PUBLIC
Information security internal governance guideline PUBLIC
QGEA
Information securityThis document has been security classified using the Queensland Government Information Security Classification Framework (QGISCF) as PUBLIC and will be managed according to the requirements of the QGISCF.
Final v1.0.0, November 2010 Page 3 of 21 PUBLIC
Information security internal governance guideline PUBLIC
QGEA
Contents1 Introduction....................................................................................................................4
1.1 Purpose..................................................................................................................41.2 Audience.................................................................................................................41.3 Scope.....................................................................................................................4
2 Background....................................................................................................................42.1 What is internal information security governance?.................................................42.2 How was this guideline derived?............................................................................5
3 Example information security roles and responsibilities..........................................63.1 Owner.....................................................................................................................83.2 Governance............................................................................................................83.3 Custodian...............................................................................................................83.4 Administrator........................................................................................................103.5 Users....................................................................................................................103.6 Related ICT roles and responsibilities..................................................................11
4 Information security governance body.....................................................................134.1 Membership..........................................................................................................134.2 Responsibilities.....................................................................................................134.3 Authority...............................................................................................................164.4 Suggested reporting requirements.......................................................................164.5 Delegation............................................................................................................174.6 Operation..............................................................................................................174.7 Review..................................................................................................................17
Appendix A Suggested meeting agenda.............................................................................18
Final v1.0.0, November 2010 Page 4 of 21 PUBLIC
Information security internal governance guideline PUBLIC
QGEA
1 Introduction
1.1 PurposeThis guideline: outlines best practices for implementing internal information security governance in line
with Information Standard 18: Information security is not mandatory and therefore agencies may choose to allocate information security
roles and responsibilities differently.
1.2 AudienceThis document is primarily intended for individuals and groups with information security roles and responsibilities.
1.3 ScopeThis guideline supports IS18.
This guideline does not address supplemental information security roles (eg. human resources) or broader information management roles and responsibilities. For information management responsibilities see the Information management roles and responsibilities guideline.
Where possible, overlap between the roles and responsibilities specified in the Information management roles and responsibilities guideline have been avoided. For example rather than duplicate the role of the Information asset custodian here, this is discussed solely in the Information management roles and responsibilities guideline. However, both guidelines do discuss the roles and responsibilities of the Chief Executive Officer (CEO). This guideline should be read as specifying the information security responsibilities and not the broader information management responsibilities of the CEO.
2 Background
2.1 What is internal information security governance?The Queensland Government information security policy framework defines internal information security governance as including:
‘… all activities related to the governance, authorisation and auditing of information security arrangements within the organisation. Roles and responsibilities relating to information security within the agency should also be defined.’
Final v1.0.0, November 2010 Page 5 of 21 PUBLIC
Information security internal governance guideline PUBLIC
QGEA
2.2 How was this guideline derived?Section 3 of this guideline is derived from the following sources: The Australian Government Information Security Manual (ISM) developed by the
Defence Signals Directorate under their role to provide policies and standards for Australian Government agencies to assist in the protection of official government information that is processed, stored or communicated by Australian Government systems. The Queensland Government is not bound to comply with the ISM; however it does seek to align with the ISM where practical in order to ensure consistency of practices across jurisdictions. Section 3 of this guideline adopts and augments some of the roles and responsibilities defined in the ISM.
Information Standard 44: Information asset custodianship (IS44) IS18 other existing standards as specified throughout this document.
Final v1.0.0, November 2010 Page 6 of 21 PUBLIC
Information security internal governance guideline PUBLIC
QGEA
3 Example information security roles and responsibilitiesThis section provides example information security roles and responsibilities within the following categories: owner – has the authority and accountability for information security and approves
rules governance – provides direction and endorsement; evaluates performance; manages
risks and measures compliance custodian – defines the rules for information security on behalf of the owner administrator – implements information security rules on behalf of the custodian user – follows the information security rules where required.
Final v1.0.0, November 2010 Page 7 of 21 PUBLIC
Information security internal governance guideline PUBLIC
QGEA
INFORMATION SECURITYROLES AND RESPONSIBILITIES
CUSTODIANDefines information security rules on behalf of the Owner
ADMINISTRATORImplements information security rules on behalf of the
Custodian
USERFollows the information security rules where applicable
Chief Information Security Officer
Employees External parties
Example IS rolesExample IS roles
Example IS roles
is accountable to
Information Security Incident Response Team
adheres to rules
Information Security Officers
GOVERNANCEGoverns information
security (e.g. provides direction & endorsement, evaluates performance,
manages risks & measures compliance)
Information Security Governance Body
Information Steering Committee
and/or
Example IS roles
Information Governance Body
and/or
OWNERHas the authority and accountability for information security – approves
rules
Chief Executive Officer
Information Security Director Chief Information Officer and/or
Example IS roles
is accountable to
is accountable todelegates
definition of rules to
implements rules
External parties
is accountable to
Figure 1 Example agency specific information security roles and responsibilities
Final v1.0.0, November 2010 Page 8 of 21 PUBLIC
Information security internal governance guideline PUBLIC
QGEA
3.1 Owner
3.1.1 CEO1 and delegates
The agency CEO has the authority and accountability for information security. It is the CEOs responsibility to: approve information security rules show leadership through awareness of their information security responsibilities provide support for the development, implementation and ongoing maintenance of
information security processes and infrastructure within the agency ensure that the information security governance body is in operation ensure that agency information security responsibilities are met.
The CEO may delegate their responsibilities to either the: Chief Information Officer Information Security Director Information security governance body. Where this occurs, the aforementioned
responsibilities fall to the chair of that body. If this occurs it is recommended that the chair of the body is an SES level officer, as this will ensure appropriate authority.
3.2 GovernanceIS18 requires agencies to establish and document information security governance arrangements (including roles and responsibilities). It is suggested that agencies either establish a separate information security governance body or assign responsibility to an existing body (eg. information governance body or information steering committee). Section 4 provides implementation guidance for the information security governance body.
The implementation of information security governance arrangements is also a best practice control within AS/NZS ISO/IEC 27001:2006 Information technology – Security techniques – Information security management systems – Requirements and AS/NZS ISO/IEC 27002:2006 Information technology – Security techniques – Code of practice for information security management.
3.3 Custodian
3.3.1 Chief Information Security Officer (CISO)
The CISO is primarily responsible for setting information security policy. In addition the CISO may also have administrator responsibilities with regards to information security. The CISO may delegate their administrator responsibilities to members of the information security team, if a team exists. Specifically, it is the CISOs responsibility, acting on behalf of the information security governance body to: coordinate communication between security and business functions oversee the application of information security controls and information security risk
management processes within the agency report to the agency CEO (or delegate), information security governance body and
others as required on matters of information security within the agency
1 The equivalent role in the ISM is the agency head.
Final v1.0.0, November 2010 Page 9 of 21 PUBLIC
Information security internal governance guideline PUBLIC
QGEA
develop, coordinate the implementation of, and maintain agency information security policy, plans, operations and risk management processes and set and measure performance indicators for these to assist decision making
ensure the agency complies with information security requirements (including coordinating tests of information security controls and compliance and maturity self assessments), thereby maintaining the security culture within the agency
serve as a member of the information security governance body translate information security risks into business risks, thereby ensuring interest in
information security from business owners within the agency work with ICT projects (including those where services are to be provided by external
parties) to ensure alignment with information security requirements coordinate the use of external information security resources for the agency including
contracting and managing the resources control the information security budget and ensure ongoing funding in liaison with the
information security governance body oversee and coordinate the operations of the Information Security Incident Response
Team (ISIRT) serve as a member of the ISIRT ensure that information security incidents are managed according to agency policy and
process be aware of all information security incidents within the agency and ensure significant
information security incidents are escalated in accordance with agency procedures deliver incident reports compiled by the ISIRT and compliance reports to the
information security governance body coordinate the development of information and ICT asset disaster recovery plans within
the agency to ensure that business-critical services are supported appropriately in the event of a disaster
oversee the development and operation of information security communication, awareness and training programs
communicate with ICT asset custodians and personnel to increase their awareness of applicable information security policies and standards
ensure that physical and personnel security controls are implemented to appropriately protect agency information
work with the delegate owner (accountable officer) of information assets, or their delegates and information asset custodians to ensure that information assets have been assigned appropriate information security classifications
provide expert advice within the agency on information security and appropriate physical and personnel security controls to protect information assets
coordinate the information security efforts of ICT Managers obtain the accreditation of ICT assets (for more information on accreditation against the
Australian Government Protective Security Policy Framework (PSPF) (which has superseded the Australian Government Protective Security Manual) and ISM, contact the Defence Signals Directorate or see the Queensland Government Public Key Infrastructure Framework).
Final v1.0.0, November 2010 Page 10 of 21 PUBLIC
Information security internal governance guideline PUBLIC
QGEA
3.4 Administrator
3.4.1 Information security officers
Information security officers form part of the CISOs team and fulfil administrator responsibilities as delegated by the CISO.
3.4.2 Information security incident response team (ISRT)
The ISIRT is responsible for: answering and logging all incoming telephone calls and emails reporting information
security events and incidents updating the events and incident register with new information security event and
incident information conducting initial diagnosis of information security events and incidents classifying information security events and incidents determining or making a recommendation on what action is to be taken in response to
an information security event or incident seeking external support to resolve an information security incident where required resolving incidents and notifying the Queensland Government Information Security
Incident Virtual Response Team where applicable closing incidents and finalising the information security event or incident entry within
the event and incident register providing feedback to employees who report information security incidents or are
affected by them coordinating post information security incident forensic analysis compiling event and incident and compliance reports for the CEO, information security
governance body, CISO and external parties as required recommending corrective and preventative actions in response to information security
events and incidents to the CISO and information security governance body. conducting other administrator duties such as backups reviewing system event logs as required.Further guidance on the ISIRT is available within the Information security event and incident management guideline (not yet approved).
3.4.3 External partiesExternal parties are responsible for implementing: their legislative responsibilities their contractual responsibilities the agency’s information security policies and processes.Note that external parties may also be users.For more information, see the Information security external party governance guideline.
Final v1.0.0, November 2010 Page 11 of 21 PUBLIC
Information security internal governance guideline PUBLIC
QGEA
3.5 Users
3.5.1 Employees
Employees are responsible for understanding the information security policy and processes and in particular: following the relevant policies and processes for the systems that they are using
(including password or other authentication mechanism requirements) when using, editing or receiving information into the agency from another source:
– ensure appropriate controls are applied to security classified information– that has not already been security classified or classified inappropriately, making a
recommendation for a security classification or raising this with their manager or the information asset custodian.
securing unattended equipment (eg. locking computers when not at desk) keeping a clear desk and screen2
reporting security incidents.3
It is the responsibility of privileged users to: protect privileged account authenticators at the same security classification of the
system it secures not share authenticators for privileged accounts without approval be responsible for all actions under their privileged accounts use privileged access only to perform authorised tasks and functions report all potentially information security related issues to the agency’s ISIRT.
3.5.2 External partiesExternal parties are responsible for complying with: their legislative and contractual responsibilities the agency’s information security policies and processes.External parties may also be administrators.For more information, see the Information security external party governance guideline.
3.6 Related ICT roles and responsibilities
3.6.1 ICT asset custodians
ICT asset custodians maintain the accreditation of ICT assets and are responsible for ensuring that associated information security documentation is developed and maintained. It is the responsibility of ICT asset custodians to: seek assistance from the CISO in the performance of their information security related
responsibilities maintain the accreditation of ICT assets in liaison with the CISO direct the implementation of changes or initiatives as required by the information
security plan relating to their ICT asset
2 AS/NZS ISO/IEC 27002: 2006 Information technology – Security techniques – Code of practice for information security management, p. 63.3 Ibid, p. 90.
Final v1.0.0, November 2010 Page 12 of 21 PUBLIC
Information security internal governance guideline PUBLIC
QGEA
direct the development and maintenance of ICT asset documentation including risks, information security controls (commensurate with the security classification of the information assets therein) and operating procedures
ensure that information security events and incidents related to their ICT asset are detected and reported as required
delegate administrator responsibilities to ICT managers and officers as required.
3.6.2 ICT managers
ICT managers ensure that administrator information security measures are appropriately considered and addressed within the agency. A Network Manager would be an example of an ICT manager within an agency4. ICT managers act as a conduit between the strategic directions provided by the CISO and ICT asset custodians, and the technical efforts of the Information technology officers (see below). It is the responsibility of ICT managers to: ensure information security risks are addressed in ICT projects, including where
services are to be provided by external parties liaise with vendors, agency purchasing and legal areas to establish mutually
acceptable contracts and service level agreements that address information security issues
implement information security policy and controls within their area serve as a member of the ISIRT as required assist both ICT asset custodians and information security officers in understanding and
responding to information security audit failures ensure that information and ICT asset disaster recovery plans can be practically
implemented within their areas.
3.6.3 ICT officers
It is the ICT officers’ responsibility to ensure the technical security of ICT assets. The ICT officer has the following administrator responsibilities: administer ICT asset security controls including access management, installation and
configuration management, patch management and change management perform vulnerability assessments on ICT assets as directed locate and repair information security problems and failures serve as a member of the ISIRT as required produce incident and compliance reports for the ICT assets that they administer manage and audit system event logs for the ICT assets that they administer implement or coordinate remediation activities required by information security audits support ICT managers to ensure that information and ICT disaster recovery plans can
be practically implemented within their areas implement changes or initiatives relating to the ICT assets that they administer as
required by the information security plan communicate with ICT asset custodians and personnel to increase their awareness of
applicable information security policies and standards other administrator duties as delegated by the ICT manager.An example of an ICT officer within an agency may be the network operations staff that support the Network Manager (an ICT manager).
4 It is possible that an ICT manager is also an ICT asset custodian, eg. the Network Manager may also be the custodian of the network (ie. an ICT asset).
Final v1.0.0, November 2010 Page 13 of 21 PUBLIC
Information security internal governance guideline PUBLIC
QGEA
4 Information security governance body
4.1 MembershipMembership of the information security governance body should reflect the size, geography and complexity of the agency. Membership should include: CISO representative/s from information security administration representatives from across the organisation with relevant roles and responsibilities
(eg. protective security, business areas, ICT, auditors, legal, human resources, risk management, business planning, information management) 5.
4.1.1 Chair
It is the responsibility of the Chair of the information security governance body to: lead and direct the activities of the information security governance body ensure that the information security governance body operates effectively including
setting meeting agendas and conducting meetings and business ensure adequate induction of new members determine performance standards and a program of work for the information security
governance body fulfil the reporting requirements of the information security governance body (see
suggestions below).
4.1.2 Role
The role of the information security governance body is to: direct the preparation and implementation of information security policies and
processes evaluate and direct information security plans and initiatives review and monitor conformance to obligations and performance develop information security capability within the agency.
4.2 ResponsibilitiesThe information security governance body fulfils this role by meeting the management and coordination responsibilities detailed in this section.
4.2.1 Direct the preparation and implementation of information security policies and processes
It is a role of the information security body to direct the preparation and implementation of the information security policies and processes.
5 Ibid, p.10; IT Governance Institute, Information security governance: guidance for boards of directors and executive managers, available from http://www.isaca.org/ContentManagement/ContentDisplay.cfm?ContentID=34997, accessed 30 October 2009.
Final v1.0.0, November 2010 Page 14 of 21 PUBLIC
Information security internal governance guideline PUBLIC
QGEA
In order to fulfil this role, the following management responsibilities should be met: direct the preparation of, review and approve the department’s information security
policy6. To assist agencies to meet this responsibility, the ICT Policy and Coordination Office has produced the Information Security Policy – Mandatory Clauses.
ensure that the information security policy meets both compliance obligations and organisational requirements and is integrated into processesError: Reference source not found.
In addition to these management responsibilities, the following coordination responsibilities should be met: ensure that the implementation of information security controls is coordinated across
the organisationError: Reference source not found identify how to manage non-compliance with information security policy7
review and approve methodologies and processes for information securityError: Reference source not found
develop processes that ensure that internal and/or external audit are consulted when implementing new or significant changes to financial or critical business information systems
assign responsibility for and oversee the management of information security registers (including register of information security classified information and systems, and a disaster recovery register)
ensure that policies and processes are in place to:– determine business need for external party access arrangements to the agency’s
information and ICT environment– identify risks related to external party access to the agency’s information and ICT
environment– establish and define controls in agreement with external parties and ensure that
they are documented in contract and service agreements contribute information security policies and tools to the Queensland Government
Enterprise Architecture where beneficial.
4.2.2 Evaluate and direct information security plans and initiatives
It is a role of the information security governance body to evaluate and provide direction for information security initiatives.
In order to fulfil this role, the following management responsibilities should be met: direct the preparation of, review and approve the agency’s information security plan
ensuring that the plan identifies the agency’s information security goals and meets organisational requirements
direct the preparation of, review and approve the agency’s disaster recovery plans that integrate with the agency’s business continuity plan – to assist agencies the ICT Policy and Coordination Office has produced the ICT asset disaster recovery planning guideline
provide input into agency general security plans and business continuity plans direct the preparation of, review and approve the agency’s overarching disaster
recovery plan
6 AS/NZS ISO/IEC 27002: 2006 Information technology – Security techniques – Code of practice for information security management, p.9.7 Ibid, p. 10.
Final v1.0.0, November 2010 Page 15 of 21 PUBLIC
Information security internal governance guideline PUBLIC
QGEA
direct the preparation of, review and approve the agency’s information security awareness plan
provide clear direction and project board support for significant information security initiatives.
4.2.3 Review and monitor conformance to obligations and performance
It is a role of the information security body to review and monitor conformance to information security obligations and performance.
In order to fulfil this role, the following management responsibilities should be met: review the effectiveness of the implementation of the information security policyError:
Reference source not found, this could be achieved by reviewing:– the completed Information Security Compliance Checklist (see also section 4.4)– information security incidents and escalating where appropriate to the senior
executive management group or other in accordance with local procedures– the information security incident report for submission to the QGCTO (see also
section 4.4)– the results of exceptions from technical checks and approve/endorse
recommendations for corrective action– the results of business continuity and disaster recovery tests and approve
recommendations on corrective actions– and monitoring external party arrangements for compliance, this includes:
▪ confirming that related risks have been identified and appropriate controls agreed and documented
▪ ensuring that arrangements are being executed in compliance with documented agreements.
In addition to these management responsibilities, the following coordination responsibilities should be met: assign responsibility for completing the agency’s annual self-assessment against the
Information Security Compliance Checklist ensure that networks and systems are subjected to regular technical checks for
compliance with the information security policy identify significant threat changes and exposure of information and information
processing facilities to threatsError: Reference source not found assess the adequacy and coordinate the implementation of information security
controlsError: Reference source not found assist the ISIRT to evaluate information received from the monitoring and reviewing of
information security incidents, and endorse appropriate corrective actions in response to information security incidents or shortcomingsError: Reference source not found
in the case of deliberate violations and breaches, assist with formal disciplinary processes where required.
4.2.4 Develop information security capability
It is a role of the information security governance body to develop information security capability.In order to fulfil this role, the following management responsibilities should be met: provide the resources needed for information securityError: Reference source not
found
Final v1.0.0, November 2010 Page 16 of 21 PUBLIC
Information security internal governance guideline PUBLIC
QGEA
assign specific roles and responsibilities for information security across the organisation (see section 3)Error: Reference source not found.
In addition to these management responsibilities, the following co-ordination responsibilities should be met: effectively promote information security education, training and awareness throughout
the organisation. This should be conducted in accordance with the information security awareness planError: Reference source not found.
4.3 AuthorityThe information security governance body must have the requisite authority to fulfil its role and responsibilities as identified in its terms of reference. This should be coupled with clear reporting lines to the CEO (or delegate) and the senior executive management group.
4.4 Suggested reporting requirementsThe following are suggested reporting requirements, organised by role. It includes the intended audience for the report and the frequency of reporting or due date.
Role Reporting requirement Audience Frequency/Date
Provide leadership in, and direct the preparation and implementation of the information security policies and processes
Submit information security policy for approval.
Senior executive management group
Ad hoc
Evaluate and direct information security initiatives
Submit information security plans for approval.
Senior executive management group
Annually
Submit overarching information and ICT asset disaster recovery plan for approval.
Senior executive management group
Annually
Submit information security awareness plan for approval.
Senior executive management group
Annually
Endorse and submit information security initiatives for approval.
Senior executive management group
Ad hoc
Monitor conformance and performance
Submit the completed information security compliance checklist8
Senior executive management group
DD Month each year as of YYYY
Central agency - TBC 30 June each year as of 2011
8 This is a reporting requirement of the revised draft IS18 as at November 2009.
Final v1.0.0, November 2010 Page 17 of 21 PUBLIC
Information security internal governance guideline PUBLIC
QGEA
Role Reporting requirement Audience Frequency/Date
Endorse and submit information security incident reportsError: Reference source not found
Senior executive management group
At least quarterly
QGCTO At least quarterly
Report on key performance indicators for information security plans
Senior executive management group
Quarterly
Provide annual report on the information security governance body’s performance.
Senior executive management group
Annual
Develop information security capability
Report on the agency’s information security maturity level.
Senior executive management group
Annual
4.5 DelegationResponsibility for specific aspects of information security governance may be delegated. However, accountability for information security governance resides with the information security governance body and ultimately the CEO.
4.6 OperationThe information security governance body should convene at least every three months. The timing of these meetings should complement both agency planning cycle requirements and ongoing review processes. See also Appendix A.
4.7 ReviewThe information security governance body should identify indicators of its own performance and conduct an annual performance review against these. This should culminate in an annual report to the CEO and/or senior executive management group which identifies issues and makes recommendations on corrective actions.
Final v1.0.0, November 2010 Page 18 of 21 PUBLIC
Information security internal governance guideline PUBLIC
QGEA
Appendix A Suggested meeting agendaNote: This is a suggested meeting agenda for the information security governance body. Agencies will need to select and modify agenda items as required (eg. the Information Security Compliance Checklist may only be an agenda item once a year). Agencies may wish to add agenda items.
1. Minutes of previous meeting
2. Actions arising from previous meeting
3. Items for endorsement new/revised information security plan, policies, processes proposed information security initiatives other.
4. Items for noting/discussion external and internal environmental scan – issues that may affect agency information
security (eg. new legislation, whole-of-Government policy, new applications and technologies, business area information security issues, new threats and risks)
progress against information security plan information security initiatives
– to be initiated– current – issues– completed.
information security plans, policies, methodologies and processes– to be initiated– current – issues– completed.
information security compliance checklist self assessment– results– actions.
information security incidents– results– actions– reporting.
information security checks and testing (including business continuity and disaster recovery)– results– actions.
review of external party arrangements– results– actions.
register updates (noting of additions/deletions)– information security classified information– information security classified systems– disaster recovery register– information security risk register (may be part of agency’s risk register).
Final v1.0.0, November 2010 Page 19 of 21 PUBLIC
Information security internal governance guideline PUBLIC
QGEA
progress against information security awareness plan– to be initiated– current – issues– completed.
information security maturity assessment update information security governance body performance review items referred from other committees.
5. General business.
Final v1.0.0, November 2010 Page 20 of 21 PUBLIC
Information security internal governance guideline PUBLIC
QGEA
Version historyVersion Date Author Description
0.0.1 January 2010 Chantel Helmore First draft.
0.1.0 February 2010 QGCIO Whole-of-Government consultation
0.1.1 April 2010 K. Harte Incorporation of agency and QGCIO feedback.
0.1.2 April 2010 K. Harte Incorporation of feedback from VD, CH, JC.
0.1.3 ? ? ?
0.1.4 April 2010 K. Harte Incorporation of agency feedback.
0.1.5 July 2010 K. Harte Incorporation of roles and responsibilities meta model and final changes.
0.1.6 September 2010 Policy Governance, ICT Policy and Coordination Office
Final document review
1.0.0 November 2010 ODG, DPW Approved
Final v1.0.0, November 2010 Page 21 of 21 PUBLIC
Information security internal governance guideline PUBLIC
