Reporting and Attestation
Cluster CISOs, and/or central cluster cyber security teams, are to coordinate Policy reporting across the entirety of their cluster.
By 30 April each year, cluster CISOs are to provide Cyber Security NSW with an updated list of all agencies in their cluster with confirmation of how they will be reporting, in a template provided by Cyber Security NSW.
By 31 October each year, agencies must submit the following to their cluster CISO or Cyber Security NSW:
- Maturity reporting against all mandatory requirements in this policy and the Australian Cyber Security Centre (ACSC) Essential Eight for the previous financial year. The reporting template to be provided by Cyber Security NSW
- Cyber security risks with a residual rating of high or extreme and a list of the agencies' “crown jewels”
- An attestation on cyber security to also be included in each agency's individual annual report. If your agency does not complete an annual report, an attestation must still be completed and signed-off by your Agency Head.
Agencies have an obligation to ensure reporting reflects an accurate and verifiable assessment of maturity as well as implementation of other requirements of this Policy. As such, agencies must:
- Compile and retain in accessible form, the artefacts that demonstrate the basis of their self-assessments
- Resolve discrepancies and inaccuracies identified in their reporting, including discrepancies between their reported level of maturity and the level they can demonstrate with evidence
- Refer to the Policy Guidance (see: Supplementary Documents) to support their assessments of maturity
- Ensure their attestations refer to any departures from the requirements of the Policy (see: Attestation).
Agencies must provide a yearly report for the previous financial year to their cluster CISO, or Cyber Security NSW, in a format provided by Cyber Security NSW by 31 October each year. Scores are to be provided for your agency's maturity against the mandatory requirements in this policy and the ACSC Essential Eight, as well as target maturity levels for next year. It is possible to have a response of “not applicable” with an appropriate explanation that is acceptable to your agency.
The reports will be summarised and provided to the relevant governance bodies including the Cyber Security Steering Group (CSSG), Secretaries Board, relevant Committees of Cabinet, Cyber Security Senior Officers Group (CSSOG) and the ICT and Digital Leadership Group (IDLG) and used to identify common themes and areas for improvement across NSW Government.
Crown jewels and risk reporting
Agencies must provide a list of their crown jewels and high and extreme risks to their cluster CISO, or Cyber Security NSW, in a format provided by Cyber Security NSW, by 31 October each year. If an agency does not have any crown jewels or high and extreme risks, they can provide a response of “not applicable”.
Agencies must provide a signed annual attestation for the previous financial year to Cyber Security NSW by 31 October each year. This same attestation must be provided in agency annual reports or in department annual reports, if applicable.
If your agency does not complete an annual report, an attestation must still be completed and signed off by your agency head and submitted to your cluster CISO.
If more than one agency is included in the attestation, a list of all the agencies should be detailed within the attestation itself. The attestation should address the following items:
- the agency has assessed its cyber security risks
- cyber security is appropriately addressed at agency governance forums
- the agency has a cyber incident response plan, it is integrated with the security components of business continuity arrangements, and has been tested over the previous 12 months (involving senior business executives)
- confirmation of the agency's Information Security Management System/s (ISMS), Cyber Security Management Framework's and/or Cyber Security Framework (CSF) including certifications or independent assessment where available
- what the agency is doing to continuously improve the management of cyber security governance and resilience
There is no expected format for the attestation, so long as the above requirements are explicitly addressed.