In February 2019, the NSW Government issued its new Cyber Security Policy, a key part of its overarching Cyber Security Strategy released in September 2018. The policy establishes a set of mandatory cyber security requirements, ensuring an integrated approach to preventing and responding to cyber security threats.
The policy came into effect on 1 February 2019, requiring all NSW Public Service Agencies to comply with the new requirements. Adoption of the policy, while not mandatory, is also recommended for State Owned Corporations, local councils and universities.
To meet the new requirements, agencies will be required to:
- Ensure cyber security planning and governance is implemented, which includes:
- Establishing clear roles and responsibilities, oversight and plans for cyber security.
- Conducting cyber security risk assessments.
- Establish a cyber security culture across the organisation, incorporating such aspects as:
- Regular education of employees, contractors and outsourced ICT service providers.
- Imbedding cyber security risk management into decision making.
- Manage cyber security risks to protect and secure information and systems, which includes:
- Implementing an Information or Cyber Security Management System and supporting controls, compliant with recognised industry standards.
- Implementing and reporting maturity against the ACSC Essential 8 cyber security incident mitigation strategies.
- Identifying and classifying information and systems, and based on their relative importance, implementing commensurate controls.
- Improve resilience and incident management capabilities, through:
- Maintaining and testing annually, a cyber security incident response plan that integrates with the government’s response plan.
- Implementing adequate incident identification and response tools and processes.
- Reporting cyber security incidents in accordance with requirements.
- Report and attest annually on policy compliance, including reporting on high and extreme residual risks and “crown jewels” (the agency’s most valuable or vital systems and information).
Full details of all new requirements and the overarching strategy can be found in the respective documents linked above. As a CREST certified organisation, Alcorn Group is well positioned to assist government agencies with meeting the new requirements. Our independent assessment services can provide an initial baseline of your organisation’s cyber security posture and actionable recommendations to achieve and demonstrate ongoing compliance. Examples of services directly supporting policy compliance include:
- ASCS Essential 8 maturity assessments
- Threat and risk assessments
- ISMS development and assessments
- Cyber security controls testing (e.g. system penetration testing, red teaming, etc.)
- Cyber security incident management (planning, testing and response)
Alcorn Group will work with your organisation to tailor a program that meets your needs.