A NSW government-sponsored taskforce of industry leaders has called on federal, state and local governments across Australia to adopt internationally recognised cyber security standards for cloud services.
It has also urged governments to more favourably evaluate proposals or tender bids from companies that adopt cyber security and other risk standards for telecommunications and the internet of things (IoT).
The NSW cyber security standards harmonisation taskforce made the recommendations alongside 22 others in a 16-page report [pdf] released on Thursday.
It follows six-months of work by the taskforce - which consists of representatives from across the defence, energy health and financial services sectors - to drive the adoption of standards.
The report separates recommendations for standards development and implementation into seven key areas: cloud, defence, education, energy, financial services, health and telco and IoT.
The taskforce found that there was generally a myriad of cyber security standards to select from, with some embedded into policy and others not.
In the cloud area, the report urges governments to “adopt and leverage recognised ISO and/or IEC standards as baseline requirements for information security (i.e. ISO/IEC 27000 series)”.
Governments looking to introduce new cloud services at a protected level or below should also consider “ISO/IEC 27001, SOC 2 and potentially FedRAMP as part of a uniform security baseline”.
ISO/IEC 27000 is a family of standards used to ensure information assets are secure, whereas FedRamp is a US program providing a standardised approach to cloud security assessments.
The report said that standards could be embedded within “any regulatory frameworks or procurement models proposed in relation to cyber security”.
Governments have similarly been urged to adopt standards for protective security and supply chain security and risk management, namely ISO 28001, ISO 31000 and the forthcoming ISO 22340.
To assist this, the report recommends that businesses and governments develop material that “clearly communicates any business benefits around that adoption of standards”.
The report also indicates that international standards should be followed in the event that a principles-based approach is adopted instead.
Standards within tenders, government policy
Governments have also been urged to “explore mechanisms to consider, and weight, proposals or tender bids” where a company demonstrates the adoption of standards for telecommunications and IoT.
The report points to standards around cyber security, including IoT security in particular, and risk management.
“This could occur, for example, through assurance processes with routine reporting on the percentage of vendors who demonstrated that they met the requirements of particular standards,” the report said.
“It could also include prioritising proposals or tender bids which demonstrate compliance with recognised international standards or codes.”
New government digital policy documents and directives should similarly “explicitly consider cyber security consideration, including recognised standards”.
“This might, for example, be prior to cabinet or expenditure review committee consideration,” the report added.
Other recommendations include:
- That businesses consider an “Australian Interim Standard or Technical Specification, through Standards Australia, outlining how to develop an information strategy”.
- That businesses and governments, through Standards Australia, explore “the extent to which AS ISO 55001… can explicitly take into consideration cyber security requirements”.
- That the federal government explore how cyber security maturity model certification (CMMC) alignment will take place
- That education stakeholders, through Standards Australia, develop an Australian Technical Specification on reporting cyber vulnerabilities
- That governments “ensure that any future guidance on cloud that they develop or mandate … takes a maturity-based approach, which factors into consideration entity size”
- That governments explore additional support in the form of vouchers or grants for “market entrants to improve access to certification or standards advisory services” around health
Following the release of the report, Standards Australia CEO Adrian O’Connell said that governments and business will “now begin working collectively towards implementing these key recommendations”.
The taskforce is currently in the process of developing a publicly accessible list of standards for cyber security across the report’s seven priority areas.
AustCyber CEO Michelle Price said that while standards are not a pancea, when “combined with the latest advances in technology, and embedded across global supply chains, they can assist in guiding baseline cyber security requirements”.
“This will help raise the posture of small to medium enterprises (SMEs), organisations and government agencies to compete in the Australian market and internationally,” she said.
NSW customer service minister Victor Dominello welcomed the report, which he said was the result of an Australian-first collaboration between the NSW government, AustCyber and Standards Australia.
“We brought together some of country’s best and brightest cyber minds, to ensure we have the highest standards in place and remain ahead of the curb,” he said in a statement.