Align with cyber security best practice

Minimum you need to do

Apply guiding principles and adhere to cyber security best practice.

Align with best practice

Australian Cyber Security Centre’s Essential 8 Framework 

Ensure that where relevant, you design your digital service to meet maturity level 3 of the ACSC Essential 8 Framework. They are strategies to help mitigate cyber security incidents caused by cyber treats. NSW Government agencies should use them as the baseline for all digital systems.

Secure coding standards 

Your development team should align practices with a secure coding standard. Teams can use the checklist in the Open Web Application Security Project’s Secure Coding Practices Guide (OWASP guide) through their software development cycle. The practices will help mitigate most of the common software vulnerabilities. Where possible, you should automate processes to reduce human errors in code. 

Multi-factor authentication 

If your customers need to authenticate with the service, you should provide an option for multi-factor authentication (MFA). Provide MFA via time-based one-time passwords (TOTP) or hardware tokens. 

Managing user access 

There are no current technical standards around password control practices.  

Cyber Security NSW recommends you allow customers to paste passwords on NSW Government websites. This aligns with the National Institute of Standards and Technology (NIST), Special Publication 800-63B Digital Identity Guidelines – Authentication and Lifecycle Management. By allowing customers to paste passwords you are facilitating their use of password managers.

Further reading  
Let them paste passwords, a blog post by the National Cyber Security Centre 
The Cobra Effect that is disabling paste on password fields, an article by Troy Hunt, a Microsoft Regional Director.  

Ensure that customers are not using bad passwords 

When customers register for a digital services account, you should notify them if the password they have chosen has been seen in a known data breach. There are a variety of ways to do this. Base your approach on the individual circumstances of your project, in consultation with your cyber security team.  

Monitoring systems 

Ensure you manage the log files your digital service generates and analyse them for any undesired behavior.  

Protect data 

Ensure that your service encrypts data in transit and at rest. Classify data in the correct way.   

    Create a security plan

    Create a security plan to manage the ongoing security of the service. A security plan is a 'living' document that you will need to review and revise. Ensure its goals and how you manage security risks keep pace with: 

    • changes in the service 
    • emerging threats 
    • changes in technology and policies 
    • operation environment. 

    Include a detailed risk component. This will ensure you outline all risk and mitigation for governance and reporting purposes. 

    Talk to your cyber security team to help you develop your plan. You should involve people with the right level of knowledge and expertise in managing security risk. They should know about the strategic goals and objectives of your agency and cluster. 

    Create a risk plan

    A risk plan identifies security risks to the digital service, their impact and likelihood of occurring. Your cyber security expert can help you create a risk plan. You should include the risk plan in your overarching plan for ongoing security. 

    NSW Treasury’s Risk Assessment and Risk Register Template is a tool to help agencies develop and implement their risk management framework and processes. 

    When you develop your risk plan you should consider the following: 

    • Define your system so you can select controls to provide the right level of cyber security protection. Consider the <system criteria>. 
    • Identify risks, their impact and the likelihood that they will happen 
    • How you will report and respond to any incidents and breaches. Talk to your information management security team to know who you need to report incidents and breaches to. 

    How to show you’ve met cyber security best practice

    You will have:

    • consulted your information security team and used the OWASP Guide  

    • developed a plan for managing the ongoing security of your service in consultation with your cyber security expert  

    • developed a risk plan that addresses security risk, and the impact and likelihood of the event  

    • recorded how your team can report and respond to breaches and incidents. 

    Last updated