NSW Govt unveils first cyber security strategy

To ensure services offered by agencies are connected and protected
Maria Milosavljevic (NSW GCISO)

Maria Milosavljevic (NSW GCISO)

The New South Wales Government has introduced its first cyber security strategy that will see agencies across the state taking an integrated approach to prevent and respond to cyber threats.

The strategy was developed to ensure that services offered by the NSW Government agencies are connected and protected while meeting the needs of the government, business and citizens.

“The Strategy sets out the NSW Government’s $20 million cyber security action plan to create a cyber safe NSW,” said Maria Milosavljevic, NSW Government chief information security officer (GCISO).

“Cyber security has emerged as one of the most-high profile, borderless and rapidly evolving risks facing governments. Investing in strong cyber capabilities will provide confidence to citizens and business who trust us with their data,” Milosavljevic, who was appointed to the newly created position in March last year, said.

According to the NSW Cyber Security Strategy, unveiled today, individual agencies are responsible for maintaining security of their own systems, services and infrastructure.

The GCISO will provide coordination, advice and threat intelligence, while law enforcement agencies conduct investigations and provide victim support. NSW Department of Industry and TAFE NSW will provide industry and skills development.

Infrastructure NSW, the Department of Industry and emergency response also play a part in the integrated strategy. Specifically, Infrastructure NSW and the GCISO are collaborating to ensure internet of things (IoT) devices have cyber security risk assessments built in as part of a comprehensive assurance process.

The Australian Cyber Security Centre (ACSC) and the Joint Cyber Security Centre (JCSC) also have their roles in the strategy, as well as Data61, the NSW Cyber Security Network and the Cyber Security Cooperative Research Centre.

Action Plan

The strategy's action plan was based on the National Institute of Standards and Technology framework, and consists of six elements: 'lead, prepare, prevent, detect, respond and recover'.

For each part the Government has set out a number of actions followed by what would consist of an ideal result for that action.

One of the actions of 'lead' is to establish a Cyber Security Advisory Council to provide expert advice from outside government, which would result in a Government that is up-to-date with cyber trends and receives best available external advice. This has already implemented by the GCISO.

“The suite of initiatives will ensure that the government is equipped to prevent, prepare for and respond to incidents and that each agency and all staff have a clear understanding of their role,” Milosavljevic said.

“To ensure this, we have introduced whole-of-government advisories that are already improving the ability of agencies to quickly and effectively respond to emerging threats."

One of the actions within 'prepare' is to partner with NSW Department of Industry to develop a cyber skills pathway model for NSW Government agencies.

Establishing a panel of approved cyber security services in one of the actions within 'prevent', with the goal that agencies have streamlined access to services to assist them in improving their cyber risk profile.

The action plan also proposes that improved information sharing is streamlined across agencies. That includes establishing an inter-agency information sharing protocol and whole-of-government threat intelligence platform with regular notifications, security advisories and incident alerts distributed to all agencies from the GCISO and linked to Commonwealth and vendor threat intelligence feeds.

A plan to establish a model whereby NSW Government agencies share cyber skilled personnel during a crisis or major incident is part of 'respond'.

Establishing an identity recovery service for customers of the NSW Government whose identities become compromised after a cyber incident, is one of the actions outlined in 'recover'.

Secure states

The new security strategy follows a call earlier this year by the NSW auditor-general for urgent action to improve the ability of state government agencies to detect and respond to cyber security incidents.

The 2018-19 NSW budget, handed down in June, included $20 million over four years to boost the government’s “preparedness for and response to cyber security issues across all agencies”.

Other states and territories have also been improving their cyber security posture over the last year.

In August last year the Victorian government launched its first whole of government cyber security strategy, implementation of which is being overseen by Victoria’s CISO, John O’Driscoll.

In April 2017, the South Australian government appointed David Goodman to be the state government’s first chief information security officer.

Over in WA, the state government says it is working to boost whole of government security through a new cyber security team sitting within the Office of Digital Government. WA agencies have been subject to a string of unflattering security audits.

In 2016 the Queensland government announced it would fund a Cyber Security Unit within the state’s Chief Information Office.