Cluster Chief Information Security Officers (CISOs) and/or central cluster cyber security teams, are to coordinate policy reporting across the entirety of their cluster. In April each year, Cluster CISOs are to provide Cyber Security NSW with an updated list of all agencies in their cluster and how they will be reporting, in a template provided by Cyber Security NSW.
- By 31 August each year, agency’s must submit a report to their cluster CISO, or Cyber Security NSW, in a template provided by Cyber Security NSW, covering the following:
- Assessment against all mandatory requirements in this policy for the previous financial year
- A maturity assessment against the Australian Cyber Security Centre (ACSC) Essential 8
- Cyber security risks with a residual rating of high or extreme
- A list of the agency’s “crown jewels”
- Agencies are to include an attestation on cyber security in their annual report and provide a copy to Cyber Security NSW by 31 August each year. If your agency does not complete an annual report, an attestation must still be completed and signed off by your Agency Head and submitted to your cluster CISO.
CSP Maturity Reporting Template can be requested from [email protected]
Strong cyber security is an important component of the NSW Beyond Digital Strategy, enabling the effective use of emerging technologies and ensuring confidence in the services provided by NSW Government. Cyber security covers all measures used to protect systems – and information processed, stored or communicated on these systems – from compromise of confidentiality, integrity and availability.
Cyber security is becoming more important as cyber risks continue to evolve. We have also had rapid technological change resulting in increased cyber connectivity and more dependency on cyber infrastructure.
The NSW Cyber Security Policy (the policy) replaced the NSW Digital Information Security Policy from 1 February 2019. New requirements of the policy include strengthening cyber security governance, identifying an agency’s most valuable or operationally vital systems or information (“crown jewels”), strengthening cyber security controls, developing a cyber security culture across all staff, working across government to share security and threat intelligence and a whole of government approach to cyber incident response. The policy is reviewed annually and updated based on agency feedback and emerging cyber security threats.
Agencies must establish effective cyber security policies and procedures and embed cyber security into risk management practices and assurance processes. When cyber security risk management is done well, it reinforces organisational resilience, making entities aware of their risks and helps them make informed decisions in managing those risks. This should be complemented with meaningful training, communications and support across all levels of the agency.
The policy outlines the mandatory requirements to which all NSW government departments and Public Service agencies must adhere, to ensure cyber security risks to their information and systems are appropriately managed. This policy is designed to be read by Agency Heads and all Executives, Chief Information Officers, Chief Information Security Officers (or equivalent) and Audit and Risk teams.
This policy applies to all NSW government departments and Public Service agencies, including statutory authorities and all NSW government entities that submit an annual report to a Secretary of a lead department or cluster, direct to a Minister, or direct to the Premier. In this policy, references to “lead cluster departments” or “clusters” mean the departments listed in Part 1, Schedule 1 of the Government Sector Employment Act 2013. The term “agency” is used to refer to any or all NSW government departments, Public Service agencies and statutory authorities.
This policy applies to:
- Information, data and digital assets created and managed by the NSW public sector;
- information and communications technology (ICT) systems, and
- Operational Technology (OT) that handle government or citizen data or provide critical government services
This policy mandates a number of requirements all agencies MUST implement. There is flexibility to make an informed, risk-based decision on the type and number of controls that are implemented by an agency as part of its Information Security Management System or Cyber Security Framework.
Agencies that provide critical or higher risk services and hold higher risk information should implement a wider range of controls and be aiming for broader coverage and higher maturity levels. It is recommended that agencies seek additional guidance, strategies and controls from supplementary sources mentioned in the useful links section.
This policy is not mandatory for state owned corporations, however it is recommended for adoption in state owned corporations, as well as local councils and universities.
Cyber Security NSW can assist agencies implementing the policy, with an FAQ document and guidelines on several cyber security topics. For copies of these documents or for advice regarding the policy please contact [email protected]
Agencies must identify their central cluster Chief Information Security Officer (CISO) and maintain contact with them throughout the policy reporting period, especially if they require assistance meeting the reporting and maturity requirements outlined.
Cyber Security NSW
Digital.nsw and Customer Service ICT
Department of Customer Service