Unveiled late last year, the New South Wales Government’s new Cyber Security Policy is designed to improve the digital defences of all state government agencies. The problem, however, is that many remain confused about exactly what they need to do.
Under the policy, agencies must provide a written report to the government’s Chief Information Security Officer (GCISO) by August 31 each year. The report must detail how the agency’s security status ranks against a variety of criteria, any high or extreme risks being faced, and a full list of data stores regarded as the ‘crown jewels’ for the agency.
Lack of understanding
The new policy replaces the former Digital Information Security Policy released in 2015. It is designed to improve cyber protection for agencies and the citizens they serve.
While the intent of the new policy is solid, there is clearly a long way to go before many agencies will be in a position to comply. With just months before the first deadline, many risk missing it altogether.
The reality for many agencies will be that in order to comply it will require a full self-assessment of all digital systems and processes and the creation of a detailed plan for security improvements. Progress will also need to be measured against the recommended standards that form part of the policy.
The Essential 8
A core part of the new policy revolves around a set of risk mitigation strategies dubbed the ‘Essential 8’. These have been provided by the GCISO to give agencies a blueprint on which to build their security defences.
The strategies cover a range of areas including malware prevention, limiting cyber security incidents and data recovery. Recommended steps include deploying multi-factor authentication, regularly patching systems, application whitelisting and undertaking daily data backups.
Before any new strategies are implemented, the new policy recommends that an agency undertakes three important steps, starting with the identification of all systems that require protection. Next, the agency should identify which adversaries are the most likely to target their systems. These could range from cyber criminals or malicious employees to criminals and even nation states.
Finally, the agency should identify what level of protection is required for each system and data store. Once this has been completed, the most appropriate strategies from the Essential 8 can then be deployed.
The ‘crown jewels’
Another core component of the new policy is the concept of digital ‘crown jewels’. These are the systems and data stores within each agency that are deemed critical for its operation and the delivery of services.
With multiple systems spread across multiple locations, adhering to this requirement could be somewhat challenging for many agencies. It will likely require a thorough audit of every system in use and a ranking of its importance to the agency’s function.
In larger agencies this process will be very time consuming and require significant resource allocation to complete. There may even be a requirement to bring in external resources to assist with the task.
Once identified, these crown jewel resources must be documented and reported to the GCISO each year as part of a full cyber security report.
As well as assessing IT systems and data stores, the new policy also requires agencies to undertake specific organisational changes to ensure effective cyber security can be achieved and retained.
The head of each agency will be responsible for ensuring their organisation complies with all of the policy’s requirements and that progress reports are filed ahead of each annual deadline. They must also ensure their agency develops, implements and maintains an effective cyber security plan.
To allow these goals to be reached, the policy requires that a senior executive-band officer be given the authority to perform all the duties outlined in the policy. There is also a requirement for ongoing awareness and skills training of all employees to be undertaken. They must be fully aware of what role they can plan in achieving effective cyber security and the risks faced by their agency.
There is clearly considerable work that needs to be undertaken by all state agencies if they are to be in a position to comply with the requirements of the new policy. Everything from comprehensive audits and documentation to the selection of appropriate strategies and the education of staff must be achieved – and within just a few short months.
Agencies need to ramp up their efforts now and put in place defined plans to achieve compliance. This must begin with having a thorough understanding of the new policy and all the requirements it contains.
New South Wales is in a position to become a global leader in public sector cyber security. Achieving compliance with the state’s new policy is an important first step.