Agency Heads

a) in the case of a Department – the Secretary of the Department, or
b) in any other case – the head of the agency listed in Part 2 or 3 of Schedule 1 of the Government Sector Employment Act 2013


Australian Cyber Security Centre


Chief Information Officer


Chief Information Security Officer


(also lead cluster department or department)

Officially defined as Departments in Government Sector Employment Act 2013 Schedule 1 clusters are the eight groups into which NSW Government agencies are organised to enhance coordination and provision of related services and policy development (This reflects the Machinery of Government changes effective 1st July 2019).

Critical infrastructure

Those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defence and ensure national security. (Security of Critical Infrastructure Act 2018)

Crown jewels

The most valuable or operationally vital systems or information in an organisation.


A Cyber Security Management System is a management system focused on cyber security of control systems rather than information.

Cyber crisis

Major disruptions to services and operations, with genuine risks to critical infrastructure and services, with risks to the safety of citizens and businesses. Intense media interest, large demands on resources and critical services.

Cyber incident

Moderate or higher impact to services, information, assets, reputation or relationships. Public visibility of impacts through service degradation or public disclosure of information/systems breaches, with economic impacts.

Cyber security


All measures used to protect systems, and information processed, stored or communicated on such systems, from compromise of confidentiality, integrity and availability. (emerging Australian Government definition)


Industrial Automation and Control Systems, also referred to as Industrial Control System (ICS), include “control systems used in manufacturing and processing plants and facilities, building environmental control systems, geographically dispersed operations such as utilities (i.e., electricity, gas, and water), pipelines and petroleum production and distribution facilities, and other industries and applications such as transportation networks, that use automated or remotely controlled or monitored assets.” (IEC/TS 62443-1-1 Ed 1.0)


Information and Communications Technology, also referred to as Information Technology (IT), includes software, hardware, network, infrastructure, devices and systems that enable the digital use and management of information and the interaction between people in a digital environment.


An Information Security Management System “consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organisation, in the pursuit of protecting its information assets. An ISMS is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organisation’s information security to achieve business objectives”. (ISO/IEC 27000:2018)


The Internet of Things (IoT) refers to the inter-connection of many devices and objects utilising internet protocols that can occur with or without the active involvement of individuals using the devices. The IoT is the aggregation of many machine-to-machine (M2M) connections.


NSW Chief Cyber Security Officer - Note: The NSW whole-of-government cyber function was renamed 'Cyber Security NSW', and the 'Government Chief Information Security Officer' was renamed NSW Chief Cyber Security Officer in May 2019.


A Private Automatic Branch Exchange is an automatic telephone switching system within a private enterprise.

Public service agency


Section 3 of the Government Sector Employment Act defines a Public Service agency as:

  • a Department (listed in Part 1 of Schedule 1 to the Act), or
  • a Public Service executive agency (being an agency related to a Department), or
  • a separate Public Service agency.
Red Team Ethical hackers that provide penetration testing to ensure the security of an organisation’s information systems

Risk appetite

“Amount and type of risk that an organisation is willing to pursue or retain.” (ISO/Guide 73:2009)

Risk tolerance

“Organisation’s or stakeholder’s readiness to bear the risk, after risk treatment, in order to achieve its objectives.” (ISO/Guide 73:2009)


The System Development Life Cycle is the “scope of activities associated with a system, encompassing the system’s initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal”. (NIST SP 800-137)


An approach to software and hardware development that tries to minimise vulnerabilities by designing from the foundation to be secure and taking malicious practices for granted.

Significant cyber incident

Significant impact to services, information, assets, NSW Government reputation, relationships and disruption to activities of NSW business and/or citizens. Multiple NSW Government agencies, their operations and/or services impacted. May involve a series of incidents having cumulative impacts.

State owned corporation

Commercial businesses owned by the NSW Government: Essential Energy, Forestry Corporation of NSW, Hunter Water, Port Authority of NSW, Sydney Water, Landcom, Water NSW


Software, hardware, data, communications, networks and includes specialised systems such as industrial and automation control systems, telephone switching and PABX systems, building management systems and internet connected devices