NSW government agencies will be required to identify their most critical systems and data and report them to the state’s government chief information security officer under the a new cyber security policy that also mandates regular education for staff and contractors.
The Department of Premier and Cabinet issued agencies with a directive on Friday replacing the existing digital information security policy with the new guidance.
It is the first revision of the policy in four years, brought about by a scathing review of the public sector’s cyber security capabilities by the auditor-general last year.
The policy [pdf] from the Department of Finance, Services and Innovation introduces a number of new mandatory requirements that will apply to all public service agencies from February 1, as part of the state’s integrated approach to managing cyber security risks and responding to incidents.
It has also been recommended for adoption by state owned corporations, local councils and universities.
The policy requires agencies identify their ‘crown jewels' or “most valuable or operationally vital systems or information” and report them to the government chief information security officer (GCISO) as part of a yearly report that covers all mandatory requirements.
This includes software, hardware, communications and networks and, for the first time, industrial and automation control system or operational technology and the internet of things.
Agencies are also now expected to assess their current maturity levels against each of the Australian Signals Directorate’s ‘essential eight’ cyber security mitigation strategies and report them to the GCISO.
Cyber security education, which was highlighted as a problem area in last year's audit, has also been identified for improvements.
The policy contains a new mandate for agencies to conduct regular cyber security education for all its employees, including contractors and outsourced ICT service providers, and ensure those with access to sensitive or classified systems or data have “appropriate security screening”.
Agencies have also been told to have a “current cyber security response plan” that is tested at least every year and integrates with the government-wide cyber incident response plan.
Much like the approach taken with the government’s GovDC data centres, agencies have been given the option to seek exemption “to any part of this policy” from the government chief information digital officer Greg Wells.
“There is flexibility in some of the requirements to make an informed, risk-based decision on the type and number of controls that are implemented by an agency,” the policy states.
However it is expected that agencies that “provide higher risk services and hold higher risk information should implement a wider range of controls and by aiming for broader coverage and higher maturity levels”.