a) in the case of a Department – the Secretary of the Department, or
b) in any other case – the head of the agency listed in Part 2 or 3 of Schedule 1 of the Government Sector Employment Act 2013
The process of granting or denying requests for access to systems, applications and information. Can also refer to the process of granting or denying requests for access to facilities
Australian Cyber Security Centre
An approach in which only an explicitly defined set of applications are permitted to execute on a system
A chronological record of system activities including records of system access and operations performed
A chronological record that reconstructs the sequence of activities surrounding, or leading to, a specific operation, procedure or event
Verifying the identity of a user, process or device as a prerequisite to allowing access to resources in a system
The process of defining or verifying permission for a specific identity or device to access or use resources in a system
Making information consistently and readily accessible for authorised parties
Business Continuity Plan
A business continuity plan is a document that outlines how an organisation can ensure it’s critical business functions will either continue to operate despite serious incidents or disasters that might otherwise have interrupted them, or will be recovered to an operational state within a reasonably short period.
An incident that results in unauthorised access to, modification or disruption of data, applications, services, networks and/or devices by bypassing their underlying security mechanisms
When data is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference. Also referred to as a ‘Data Spill’
Chief Information Officer
Chief Information Security Officer
The categorisation of systems and information according to the expected impact if it was to be compromised
Cluster (also lead cluster department or department)
Officially defined as Departments in Government Sector Employment Act 2013 Schedule 1 clusters are the eight groups into which NSW Government agencies are organised to enhance coordination and provision of related services and policy development (This reflects the Machinery of Government changes effective 1st July 2019).
Those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defence and ensure national security. (Security of Critical Infrastructure Act 2018)
The most valuable or operationally vital systems or information in an organisation.
Cyber Security Framework
A Cyber Security Management System is a management system focused on cyber security of control systems rather than information.
A deliberate act through cyberspace to manipulate, disrupt, deny, degrade or destroy computers or networks, or the information resident on them, with the effect of seriously compromising national security, stability or economic prosperity
Crimes directed at computers, such as illegally modifying electronic data or seeking a ransom to unlock a computer affected by malicious software. It also includes crimes where computers facilitate an existing offence, such as online fraud or online child sex offences
Major disruptions to services and operations, with genuine risks to critical infrastructure and services, with risks to the safety of citizens and businesses. Intense media interest, large demands on resources and critical services.
An identified occurrence of a system, service or network state indicating a possible breach of security policy or failure of safeguards
An occurrence or activity that may threaten the confidentiality, integrity or availability of a system or the information stored, processed or communicated by it
Cyber Incident Response Plan
A plan for responding to cyber security incidents
Measures used to protect the confidentiality, integrity and availability of systems and information
Disaster Recovery Plan
Outlines an organisation’s recovery strategy for how they are going to respond to a disaster
The Essential Eight are eight essential mitigation strategies that organisations are recommended to implement as a baseline to make it much harder for adversaries to compromise systems
Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur
Industrial Automation and Control Systems, also referred to as Industrial Control System (ICS), include “control systems used in manufacturing and processing plants and facilities, building environmental control systems, geographically dispersed operations such as utilities (i.e., electricity, gas, and water), pipelines and petroleum production and distribution facilities, and other industries and applications such as transportation networks, that use automated or remotely controlled or monitored assets.” (IEC/TS 62443-1-1 Ed 1.0)
Information and Communications Technology, also referred to as Information Technology (IT), includes software, hardware, network, infrastructure, devices and systems that enable the digital use and management of information and the interaction between people in a digital environment.
An Information Security Management System “consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organisation, in the pursuit of protecting its information assets. An ISMS is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organisation’s information security to achieve business objectives”. (ISO/IEC 27000:2018)
Incident Response Plan
A plan for responding to cyber security incidents
The protection of information and information systems from unauthorised access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity and availability
The network of physical objects, devices, vehicles, buildings and other items which are embedded with electronics, software, sensors, and network connectivity, which enables these objects to connect to the internet and collect and exchange data
An instruction that causes the execution of a predefined sequence of instructions
A method of computer access control in which a user is granted access only after successfully presenting several separate pieces of evidence to an authentication mechanism – typically at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are)
NSW Chief Cyber Security Officer - Note: The NSW whole-of-government cyber function was renamed 'Cyber Security NSW', and the 'Government Chief Information Security Officer' was renamed NSW Chief Cyber Security Officer in May 2019.
Operational Technology (OT)
Operational technology is hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events
A Private Automatic Branch Exchange is an automatic telephone switching system within a private enterprise.
A partial restoration would be anything less than a full restoration. The expectation would be any at least any chosen file or database
The action of updating, fixing, or improving a computer program
Position of Trust
A position that involves duties that require a higher level of assurance than that provided by normal employment screening. In some organisations additional screening may be required
Positions of trust can include, but are not limited to, an organisation’s Chief Information Security Officer and their delegates, administrators or privileged users
A user who can alter or circumvent a system’s security measures. This can also apply to users who could have only limited privileges, such as software developers, who can still bypass security measures
A privileged user can have the capability to modify system configurations, account privileges, audit logs, data files or applications
Public service agency
Section 3 of the Government Sector Employment Act defines a Public Service agency as:
a Department (listed in Part 1 of Schedule 1 to the Act), or
a Public Service executive agency (being an agency related to a Department), or
a separate Public Service agency.
Ethical hackers that provide penetration testing to ensure the security of an organisation’s information systems
Access to a system that originates from outside an organisation’s network and enters the network through a gateway, including over the internet
“Amount and type of risk that an organisation is willing to pursue or retain.” (ISO/Guide 73:2009)
“Organisation’s or stakeholder’s readiness to bear the risk, after risk treatment, in order to achieve its objectives.” (ISO/Guide 73:2009)
The System Development Life Cycle is the “scope of activities associated with a system, encompassing the system’s initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal”. (NIST SP 800-137)
An approach to software and hardware development that tries to minimise vulnerabilities by designing from the foundation to be secure and taking malicious practices for granted.
Significant cyber incident
Significant impact to services, information, assets, NSW Government reputation, relationships and disruption to activities of NSW business and/or citizens. Multiple NSW Government agencies, their operations and/or services impacted. May involve a series of incidents having cumulative impacts.
State owned corporation
Commercial businesses owned by the NSW Government: Essential Energy, Forestry Corporation of NSW, Hunter Water, Port Authority of NSW, Sydney Water, Landcom, Water NSW
Supply chain is a system of organisations, people, activities, information, and resources involved in supplying a product or service to a consumer
Software, hardware, data, communications, networks and includes specialised systems such as industrial and automation control systems, telephone switching and PABX systems, building management systems and internet connected devices
Authorising only approved applications for use within organisations in order to protect systems from potentially harmful applications
We pay respect to the Traditional Custodians and First Peoples of NSW, and acknowledge their continued connection to their country and culture.