Victoria unveils first cyber security strategy

Victoria has become the first state to release a dedicated cyber security strategy, promising to deliver confidence in government IT and digital service delivery by adopting a new whole-of-government approach.

Special Minister of State Gavin Jennings unveiled the strategy [pdf] and three-year rolling program of work at an Australian Information Industry Association in Melbourne today.

It has been a long time coming; the strategy was first announced by the former Liberal government in November 2013, just days before the Victorian auditor-general was slated to release an assessment of the government’s IT security framework.

It tasked the now special advisor to the PM on cyber security, Alastair MacGibbon, with helping to deliver the strategy during 2014.

But nothing was forthcoming, and the strategy fell off the radar until the Labor government recommitted to it in last year’s IT strategy.

Since then there have been a series of adverse findings against the state government's cyber security posture, which the strategy acknowledges needs to be addressed through holistic approaches.

The new 23-point strategy focuses on five priority areas to uplift the government’s cyber security capability, and will see the state shift from an individual agency approach to tackling cyber security to a whole-of-government one.

“While our approach to date has worked to some extent, Victorian auditor-general reports and departmental in-house testing regularly uncover vulnerabilities that must be addressed,” the strategy states.

“The time for an agency-by-agency (only) approach has passed. We need to address these risks strategically, and where it makes sense, holistically.”

The appointment of a chief information security officer within the Department of Premier and Cabinet next month is a core component of the government’s plan to improve engagement.

The CISO will co-ordinate a cross-government response to cyber security incidents “where a whole-of-government approach is preferable, more efficient and will provide better security outcomes”, as well as lead the delivery of the strategy's initiatives.

The government will develop and present a quarterly cyber security briefing and status report to the Victorian Secretaries Board and the state crisis and resilience committee, and will create a cyber security group when it finalises its cyber emergency governance arrangements by October.

It will also establish an initial baseline of cyber security capability and produce an annual cyber resilience benchmark report from November. It will also undertake cyber security health checks every 12 months from June 2018.

As noted in the state’s ICT network and cyber security statement of direction last September, an integrated and federated whole-of-government security operations centre service model and implementation plan will be delivered by February.

The government also plans to boost cyber security skills across the public sector, indicating that “agencies have limited in-house cyber security skills and face difficulties in retaining expertise”.

It will strengthen partnerships with the private sector by establishing whole-of-government subscriptions for internet security and information security services by September, and a procurement panel to access cyber security services from the private sector by June 2018.

The state also wants to improve the cyber security posture of its burgeoning start-up industry by developing and piloting an SME cyber security operational model by next April.