The NSW government has unveiled its inaugural cyber security strategy, promising to introduce mandatory incident reporting and strengthen coordination in a bid to build a holistic approach to incident prevention and response.
The strategy [pdf], released today, details a two-year action plan aimed at improving the state’s security posture using the government’s $20 million cyber security windfall in this year’s budget.
It sets out an integrated approach to manage cyber security risks and respond to incidents across government.
“Cyber security has emerged as one of the most-high profile, borderless and rapidly evolving risks facing governments,” the state’s government chief information security officer Maria Milosavljevic said launching the strategy.
“Investing in strong cyber capabilities will provide confidence to citizens and business who trust us with their data.”
The strategy's debut comes as the state closes in on its target of 70 percent of government transactions through digital channels by 20199.
“As the NSW Government leads the way on streamlined digital service delivery, we must also increase cyber resilience and invest to protect against cyber threats,” the strategy states.
“A priority remains to reduce the impact of cyber attacks which may have a cascading effect on the lives of citizens and the functioning of our critical infrastructure.”
The strategy contains a cyber security framework based on the NIST framework that groups initiatives under six themes: lead, prepare, prevent, detect, respond and recover.
Both the whole-of-government cyber security function - established last year and headed up by Milosavljevic - and individual agencies are expected to deliver the initiatives.
The framework seeks to address many of the key concerns held in a damning report from the state’s auditor-general earlier this year, which found cyber security practices were lacking at the majority of government agencies.
It will see the government introduce best-practice guidelines for detecting, responding and reporting cyber incidents and improve information sharing, including the introduction of a government-wide threat intelligence platform.
This will see the creation of mandatory cyber incident reporting requirements and, down the line, a NSW government cyber security coordination centre.
In the event of a cyber attack, government cyber experts are expected to be shared between agencies.
In order to prevent or reduce the likelihood of cyber disruption, the government will strengthen its digital information security policy, establish minimum cyber security standards and develop cyber assurance mechanisms for IT and infrastructure projects.
Prevention will also be addressed at the procurement level, with standard cyber security procurement contract terms to be introduced and a panel of approved cyber security services created.
A cyber risk program to upskill government employees and a cyber readiness program to test responses are other initiatives in the strategy.
ID recovery
The state plans to improve how it recovers to cyber attacks, in part by creating an identity recovery service for government customers that have their identities compromised.
It will also review how effective the recovery from cyber incidents was and establish post-incident review protocol to continuously improve.
“The suite of initiatives will ensure that the government is equipped to prevent, prepare for and respond to incidents and that each agency and all staff have a clear understanding of their role,” Milosavljevic said.
“To ensure this, we have introduced whole-of-government advisories that are already improving the ability of agencies to quickly and effectively respond to emerging threats.
“We will continue to collaborate with industry leaders and research groups as well as Commonwealth and state law enforcement to ensure we maintain a collaborative approach to cyber security.”
NSW is the third state to introduce a dedicated cyber security strategy after Victoria and South Australia.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
