The NSW Government Chief Information Security Officer (GCISO) is making sure we provide a cyber safe NSW. The protection of our systems and digital information is important because of the many essential services we provide including health, emergency services, energy, water or transport.
The GCISO is working across NSW Government to:
- Increase cyber skills and awareness
- Understand the risks from cyber threats to our digital information and systems
- Set cyber security standards
- Ensure we know how to respond if a damaging cyber incident occurs
Cyber security is a part of the NSW Government’s Digital Strategy.
NSW Government Cyber Security Strategy
The NSW Government is taking an integrated approach to preventing and responding to cyber security threats across the state, to safeguard our information, assets, services and citizens. The NSW Government Cyber Security Strategy, released in September 2018, guides and informs the safe management of government’s growing cyber footprint. The Strategy is built around the following principles to achieve a connected, protected and trusted cyber safe NSW.
Government systems are secure and resilient to evolving cyber incidents. Non-negotiable minimum security standards are applied across the sector. Our approach is risk-based with an emphasis on securing high impact information and services.
NSW Government agencies coordinate and collaborate with other agencies, jurisdictions and the private sector within a federated framework, acknowledging that they are interdependent and cannot operate in isolation. Security is not an afterthought, but is integrated into all ICT assurance processes to ensure that our systems are secure-by-design.
Agency capability is lifted through collaboration, training and support. Strong and agile teams are embedded across the sector to ensure a timely response to cyber threats and incidents.
Our technical and human capabilities are interconnected and interdependent. From a cyber risk perspective, they operate as one system. We have a ‘joined-up’ mindset, recognising that everyone takes responsibility for cyber security. This requires deep collaborative relationships across sectors and jurisdictions.
NSW Government Cyber Security Policy
From 1 February 2019, the NSW Cyber Security Policy comes into effect. The Policy applies to all NSW Public Service agencies and has several new aspects.
- Cyber security is explicitly highlighted as everyone’s responsibility with Agency heads accountable for compliance and specific cyber security responsibilities for senior management and all staff
- Agencies must now report annually how they are tracking against the Australian Cyber Security Centre (ACSC) “Essential 8” which includes such practices as regular patching, daily backups, restricting admin privileges and multi-factor authentication
- The Policy now covers industrial automation and control systems (IACS) and internet-connected devices
- Agencies must identify their most valuable or operationally vital systems or information – i.e. their “crown jewels” to ensure appropriate protection and response
- Lead cluster Departments must support agencies in their cluster on cyber security
- ISO27001 certification (or appropriate alternative) required for all clusters or agencies
- Focuses on building a cyber security culture through education and awareness and sharing intelligence on cyber security risks and threats
- Adopts a risk-based approach to better meet the needs of different agencies
All NSW Public Service Agencies must comply with the Policy and it is recommended for adoption in State Owned Corporations, as well as local councils and universities.
Tips for cyber security:
- Avoid using your work email on public facing websites.
- Don’t follow links or open attachments from untrusted sources.
- Stay away from illegal download sites.
- Avoid the use of public wi-fi, particularly to conduct business.
- Do not use USB sticks from untrusted sources.
- Never leave your devices unattended in public.
- Make purchases from secure websites only. Secure websites start with “https:” rather than “http:”. They are usually marked by a padlock icon next to the address bar.
- Be cautious of people you meet online.
- Keep your system software and application software up-to-date.
- If unsure, seek further information with the appropriate team.
Cyber protection within your organisation
- Is there a senior officer accountable for monitoring security strategy?
- Is everyone in your organisation aware of your cyber-culture?
- Are incidents being reported appropriately? Does bad news travel to the Board?
- What is your plan in case of a threat? When was the last time this was tested?
- Know the value of your information and what will happen if it is hacked.
- Know who has access to what information.
- If an external service provider has access to your information make sure their procedures meet your expectations.
See our pocket guide for further contacts, tips and guidelines.
Contact the right team for support
Here are some contacts dedicated to your cyber protection. If you require assistance in one of these areas, please get in touch with the relevant team.
Protect myself and my small business from cyber security threat
Restore my ID (if it’s been stolen or misused)
IDCare – National Identity and Cyber Support