Mandatory requirements and reporting
The NSW Cyber Security Policy sets out the mandatory requirements for NSW Government departments and agencies to manage cyber security risks to their information and systems.
It is mandatory for NSW Government agencies to report back to the NSW Cyber Security team on how they have adhered to the requirements in the policy.
You should engage your agency or cluster information management and cyber security team early on in your design process. Work with them to help you meet your agency reporting obligations.
Identify and report ‘crown jewels’
All NSW Government agencies have their own process to identify ‘crown jewels’. Speak to your agency or department cyber security team at the outset to identify whether your system and/or data is a ‘crown jewel’.
‘Crown jewels’ are ‘the most valuable or operationally vital systems or information in an organisation’.
NSW Cyber Security Policy
You must cover all ‘crown jewels’ under an Information Security Management System (ISMS) or Cyber Security Management System (CSMS). Your agency will need to report it to Cyber Security NSW.