The NSW government has unveiled its inaugural cyber security strategy, promising to introduce mandatory incident reporting and strengthen coordination in a bid to build a holistic approach to incident prevention and response.
It sets out an integrated approach to manage cyber security risks and respond to incidents across government.
“Cyber security has emerged as one of the most-high profile, borderless and rapidly evolving risks facing governments,” the state’s government chief information security officer Maria Milosavljevic said launching the strategy in Sydney.
“Investing in strong cyber capabilities will provide confidence to citizens and business who trust us with their data.”
The strategy's debut comes as the state closes in on its target of 70 percent of government transactions through digital channels by 2019.
“As the NSW government leads the way on streamlined digital service delivery, we must also increase cyber resilience and invest to protect against cyber threats,” the strategy states.
“A priority remains to reduce the impact of cyber attacks which may have a cascading effect on the lives of citizens and the functioning of our critical infrastructure.”
The strategy contains a cyber security framework based on the NIST framework that groups initiatives under six themes: lead, prepare, prevent, detect, respond and recover.
Both the whole-of-government cyber security function - established last year and headed up by Milosavljevic - and individual agencies are expected to deliver the initiatives.
The framework seeks to address many of the key concerns held in a damning report from the state’s auditor-general earlier this year, which found cyber security practices were lacking at the majority of government agencies.
It will see the government introduce best-practice guidelines for detecting, responding and reporting cyber incidents and improve information sharing, including through the introduction of a government-wide threat intelligence platform.
Mandatory cyber incident reporting requirements will also be created, while a NSW government cyber security coordination centre will be established from the 2019-20 financial year.
In the event of a cyber attack, government cyber experts are expected to be shared between agencies.
In order to prevent or reduce the likelihood of cyber disruption, the government will strengthen its digital information security policy, create minimum cyber security standards and develop cyber assurance mechanisms for IT and infrastructure projects.
Prevention will also be addressed at the procurement level, with standard cyber security procurement contract terms to be introduced and a panel of approved cyber security services created.
A cyber risk program to upskill government employees and a cyber readiness program to test responses are other initiatives in the strategy.
The government is also planning to improve how it recovers to cyber attacks, in part by creating an identity recovery service for customers that have their identities compromised.
It will also review how effectively the state recovers from cyber incidents and establish post-incident review protocol to continuously improve processes and "lessen the likelihood and impact of the same issues reoccurring".
“The suite of initiatives will ensure that the government is equipped to prevent, prepare for and respond to incidents and that each agency and all staff have a clear understanding of their role,” Milosavljevic said.
“To ensure this, we have introduced whole-of-government advisories that are already improving the ability of agencies to quickly and effectively respond to emerging threats.
“We will continue to collaborate with industry leaders and research groups as well as Commonwealth and state law enforcement to ensure we maintain a collaborative approach to cyber security.”
NSW is the third state to introduce a dedicated cyber security strategy after Victoria and South Australia.