Mandatory Requirements


1. Planning and Governance

Agencies must implement cyber security planning and governance. Agencies must:

Allocate roles and responsibilities as detailed in this policy.
Ensure there is a governance committee at the executive level (dedicated or shared) to be accountable for cyber security including risks, plans, reporting and meeting the requirements of this policy.
Develop, implement and maintain an approved cyber security plan that is integrated with your agency’s business continuity arrangements.
Include cyber security in their risk management framework and consider cyber security threats when performing risk assessments.
Be accountable for the cyber risks of their ICT service providers with access to or holding of government information and systems and ensure these providers understand and comply with the cyber security requirements of the contract, including the applicable parts of this policy (Section 5.10) and any other relevant agency security policies.

2. Cyber Security Culture

Agencies must build and support a cyber security culture across their agency and NSW Government more broadly. Agencies must:

Implement regular cyber security awareness training for all employees, contractors and outsourced ICT service providers.
Increase awareness of cyber security risk across all staff including the need to report cyber security risks.
Foster a culture where cyber security risk management is a demonstrable factor in decision-making and where cyber security risk management processes are understood and applied.
Ensure that appropriate access controls and security screening processes are in place for people with privileged access or access to sensitive or classified information.
Receive and/or provide information on security threats and intelligence with Cyber Security NSW and cooperate across NSW Government to enable management of government-wide cyber risk.

3. Manage cyber security risks

Agencies must manage cyber security risks to safeguard and secure their information and systems. Agencies must:

Implement an Information Security Management System (ISMS), Cyber Security Management System (CSMS) or Cyber Security Framework (CSF).
Implement the ACSC Essential Eight.
Classify information and systems according to their business value (i.e. the impact of loss of confidentiality, integrity or availability).
Ensure cyber security requirements are built into procurements and into the early stages of projects and the system development life cycle (SDLC), including agile projects. Any upgrades to existing systems must comply with your organisation’s cyber risk tolerance.
Audit trail and activity logging records are determined, documented, implemented and reviewed for new ICT systems and enhancements.

4. Resilience

Agencies must improve their resilience including their ability to rapidly detect cyber incidents and respond appropriately. Agencies must:

Have a current cyber incident response plan that integrates with the agency incident management process and the NSW Government Cyber Incident Response Plan.
Exercise their cyber incident response plan at least every year.
Ensure that ICT systems and assets are monitored to identify cyber security events and verify the effectiveness of protective measures.
Report cyber security incidents to their cluster CISO and/or Cyber Security NSW according to the NSW Cyber Security Response Plan. If relevant, ensure incident reporting is compliant with Federal reporting requirements.
Participate in whole-of-government cyber security exercises as required.
Last updated