By Jo Stewart-Rattray, director of information security for national accounting firm RSM Bird Cameron; the international; the international vice president for global information security governance industry association ISACA; and chair at ISACA’s leadership development committee; member of its COBIT for Security Taskforce.

 

While public sector agencies confront security risks from the cloud to social media in 2012, their greatest challenge is to build an intentional culture of security among staff warns an international expert in information security.
 

We have to be aware of that fact and the means eternal vigilance is the price paid for the role of CIO.
 

The responsibility for security within a public sector agency – or any organisation – could not be compartmentalised.
 

The truth is security is everyone’s responsibility and the buck has to stop somewhere, which is with the CEO or with the board in a corporation.
 

Public sector agencies demonstrated a broad range of responses to security challenges. Some agencies are at the forefront while others lag in the rear.
 

South Australia’s Office of the CIO has rolled out a revised version of its Information Security Framework to the public sector, which has provided State Government agencies with guidance.
 

Also in South Australia, public sector agencies have designated Information Technology Security Advisors (ITSAs) – a position which goes by other names in other states – whose role is to advise the business on issues relating to information security.
 

The various offices of the Auditors General around Australia regularly come out with reports that lambast some agencies.
 

For example, the Auditor General in WA makes no bones about reporting how many agencies are successful in the security area and how many have ‘room for improvement.
 

There are many legitimate reasons why an agency may not be at the forefront with security methodology.
 

These can range from budgetary constraints or changes to their organisational structure to the commencement of, or changes to, outsourcing services or bringing shared services in-house.
 

Each agency had different information security requirements and priorities depending on their line of business and the types of content they retained.
 

For a new chief executive going into an agency, the first step towards information security is to ascertain the security position of that agency.
 

This involves asking any ITSA or equivalent roles as well as the CIO: Where we are up to?
 

If an information security review has been undertaken recently, read it to see what risks were identified and what recommendations were proposed and which of those were implemented.