Almost 100 federal government entities will need to have a designated chief information security officer (CISO) under revised rules agreed late last month.
The rule impacts the 99 [pdf] non-corporate Commonwealth entities (NCEs) that are required to adhere to the Protective Security Policy Framework (PSPF).
PSPF policy amendments impose minimum security clearance requirements on chief security officers (CSOs), while also requiring the specific appointment of a CISO.
“The requirement to appoint a CISO is not expected to impose additional burden on entities as the CSO is currently required to oversee cyber security,” Home Affairs, which has oversight of the PSPF, said in a statement.
The CISO also “does not have to be appointed at the SES [senior executive service] level”, Home Affairs said.
“The role is best performed by an officer with the appropriate combination of experience, technical skills and other skills such as business acumen, leadership, communications and relationship building,” it added.
Corporate Commonwealth entities and wholly-owned Commonwealth companies aren’t required to meet the PSPF, but are meant to view it as “better practice”, according to an audit of the framework last year.