NSW adopts new Cyber Security Policy

The NSW Government has implemented a new state-wide Cyber Security Policy to ensure an integrated approach to preventing and responding to cyber threats.

The new policy will be mandatory for all public sector agencies, and highly recommended for adoption in state-owned corporations, local councils and universities.

It is designed to replace the old Digital Information Security Policy and was completed following an extremely critical review of the state government’s cybersecurity capabilities, released by the NSW Auditor General in March last year.

The policy introduces new mandatory requirements including identification of an agency’s most valuable and operationally vital systems or information.

The policy meanwhile requires the implementation of regular cybersecurity education for all employees, contractors and outsourced ICT service providers, as well as the conducting of a security maturity assessment based on the Australian Cyber Security Centre’s Essential 8 cyber threat mitigation strategies.

It also mandates the reporting of cybersecurity incidents to the state’s Government Chief Information Security Officer (GCISO) and requires agencies to meet security requirements for industrial automation and control systems and Internet of Things (IoT) devices.

With the policy now in effect, agencies will be required to compile a current cybersecurity response plan that is tested and revised at least once per year.

Under the new policy, agencies will be required to complete security assessments and reports for the 2018/19 financial year on 31 August.

Agencies will be able to seek exemptions to aspects of the policy, but the request will need to be approved by both the GCISO and the Government Chief Information and Digital Officer.

Image credit: ©iconimage/Dollar Photo Club

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.