Information security lead

Standards indicator

C6.4A Our practice has a team member who has primary responsibility for the electronic systems and computer security.

You must have at least one team member who has primary responsibility for the electronic systems and computer security.

Create a policy

Your practice policy should include the specific information security roles and responsibilities of each practice team member.

Your policy should cover:

• specific information on the roles and responsibilities of each practice team member in relation to information security, including the required levels of access to information systems
• assignment of an information security lead who has access to ongoing training as required
• who is responsible for specific information security tasks
• access to ongoing training for your practice team as required
• education for your practice team in identifying errors or abnormal software behaviour and who/how to notify promptly of any concerns.

The position description of the information security lead can include:

• overseeing development of information security policies and procedures
• testing business continuity and information recovery plans
•  reviewing and updating policies and procedures as practice and legislative changes occur
• regular monitoring to ensure practice security policies are followed
• maintaining an up-to-date risk assessment
• ensuring technical advice is sought where required
• ensuring secure transfer of electronic information
• arranging access to ongoing information security awareness training for the practice team
• updating the practice management on outstanding security issues
• regular reporting on information security to the practice team
• regular monitoring of system logs and audit reports.​