Glossary

Item

Definition

Agency Heads

a) in the case of a Department – the Secretary of the Department, or
b) in any other case – the head of the agency listed in Part 2 or 3 of Schedule 1 of the Government Sector Employment Act 2013

Access Control The process of granting or denying requests for access to systems, applications and information. Can also refer to the process of granting or denying requests for access to facilities

ACSC

Australian Cyber Security Centre

Application Whitelisting An approach in which only an explicitly defined set of applications are permitted to execute on a system
Audit Log A chronological record of system activities including records of system access and operations performed

Audit Trail
A chronological record that reconstructs the sequence of activities surrounding, or leading to, a specific operation, procedure or event
Authentication     Verifying the identity of a user, process or device as a prerequisite to allowing access to resources in a system
Authorisation     The process of defining or verifying permission for a specific identity or device to access or use resources in a system
Business Continuity Plan A business continuity plan is a document that outlines how an organisation can ensure it’s critical business functions will either continue to operate despite serious incidents or disasters that might otherwise have interrupted them, or will be recovered to an operational state within a reasonably short period.
Breach (data) An incident that results in unauthorised access to, modification or disruption of data, applications, services, networks and/or devices by bypassing their underlying security mechanisms
Breach (security) When data is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference. Also referred to as a ‘Data Spill’

CIO

Chief Information Officer

CISO

Chief Information Security Officer

Classification The categorisation of systems and information according to the expected impact if it was to be compromised

Cluster

(also lead cluster department or department)

Officially defined as Departments in Government Sector Employment Act 2013 Schedule 1 clusters are the eight groups into which NSW Government agencies are organised to enhance coordination and provision of related services and policy development (This reflects the Machinery of Government changes effective 1st July 2019).

Critical infrastructure

Those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defence and ensure national security. (Security of Critical Infrastructure Act 2018)

Crown jewels

The most valuable or operationally vital systems or information in an organisation.

CSF Cyber Security Framework

CSMS

A Cyber Security Management System is a management system focused on cyber security of control systems rather than information.

Cyber attack A deliberate act through cyberspace to manipulate, disrupt, deny, degrade or destroy computers or networks, or the information resident on them, with the effect of seriously compromising national security, stability or economic prosperity
Cyber crime Crimes directed at computers, such as illegally modifying electronic data or seeking a ransom to unlock a computer affected by malicious software. It also includes crimes where computers facilitate an existing offence, such as online fraud or online child sex offences

Cyber crisis

Major disruptions to services and operations, with genuine risks to critical infrastructure and services, with risks to the safety of citizens and businesses. Intense media interest, large demands on resources and critical services.

Cyber event An identified occurrence of a system, service or network state indicating a possible breach of security policy or failure of safeguards

Cyber incident

An occurrence or activity that may threaten the confidentiality, integrity or availability of a system or the information stored, processed or communicated by it

Cyber Incident Response Plan A plan for responding to cyber security incidents

Cyber security

 

Measures used to protect the confidentiality, integrity and availability of systems and information

Disaster Recovery Plan Outlines an organisation’s recovery strategy for how they are going to respond to a disaster
Essential Eight The Essential Eight are eight essential mitigation strategies that organisations are recommended to implement as a baseline to make it much harder for adversaries to compromise systems
Full Backup Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur

IACS

Industrial Automation and Control Systems, also referred to as Industrial Control System (ICS), include “control systems used in manufacturing and processing plants and facilities, building environmental control systems, geographically dispersed operations such as utilities (i.e., electricity, gas, and water), pipelines and petroleum production and distribution facilities, and other industries and applications such as transportation networks, that use automated or remotely controlled or monitored assets.” (IEC/TS 62443-1-1 Ed 1.0)

ICT

Information and Communications Technology, also referred to as Information Technology (IT), includes software, hardware, network, infrastructure, devices and systems that enable the digital use and management of information and the interaction between people in a digital environment.

ISMS

An Information Security Management System “consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organisation, in the pursuit of protecting its information assets. An ISMS is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organisation’s information security to achieve business objectives”. (ISO/IEC 27000:2018)

Incident Response Plan A plan for responding to cyber security incidents
Information security The protection of information and information systems from unauthorised access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity and availability

IoT

The network of physical objects, devices, vehicles, buildings and other items which are embedded with electronics, software, sensors, and network connectivity, which enables these objects to connect to the internet and collect and exchange data

Macro An instruction that causes the execution of a predefined sequence of instructions
Multi-factor authentication A method of computer access control in which a user is granted access only after successfully presenting several separate pieces of evidence to an authentication mechanism – typically at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are)

NSW CCSO

NSW Chief Cyber Security Officer - Note: The NSW whole-of-government cyber function was renamed 'Cyber Security NSW', and the 'Government Chief Information Security Officer' was renamed NSW Chief Cyber Security Officer in May 2019.

PABX

A Private Automatic Branch Exchange is an automatic telephone switching system within a private enterprise.

Partial Backup A partial restoration would be anything less than a full restoration. The expectation would be any at least any chosen file or database
Patching The action of updating, fixing, or improving a computer program
Position of Trust

A position that involves duties that require a higher level of assurance than that provided by normal employment screening. In some organisations additional screening may be required

Positions of trust can include, but are not limited to, an organisation’s Chief Information Security Officer and their delegates, administrators or privileged users

Privileged User A user who can alter or circumvent a system’s security measures. This can also apply to users who could have only limited privileges, such as software developers, who can still bypass security measures

A privileged user can have the capability to modify system configurations, account privileges, audit logs, data files or applications
 

Public service agency

 

Section 3 of the Government Sector Employment Act defines a Public Service agency as:

  • a Department (listed in Part 1 of Schedule 1 to the Act), or
  • a Public Service executive agency (being an agency related to a Department), or
  • a separate Public Service agency.
Red Team Ethical hackers that provide penetration testing to ensure the security of an organisation’s information systems
Remote Access Access to a system that originates from outside an organisation’s network and enters the network through a gateway, including over the internet

Risk appetite

“Amount and type of risk that an organisation is willing to pursue or retain.” (ISO/Guide 73:2009)

Risk tolerance

“Organisation’s or stakeholder’s readiness to bear the risk, after risk treatment, in order to achieve its objectives.” (ISO/Guide 73:2009)

SDLC

The System Development Life Cycle is the “scope of activities associated with a system, encompassing the system’s initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal”. (NIST SP 800-137)

Secure-by-design

An approach to software and hardware development that tries to minimise vulnerabilities by designing from the foundation to be secure and taking malicious practices for granted.

Significant cyber incident

Significant impact to services, information, assets, NSW Government reputation, relationships and disruption to activities of NSW business and/or citizens. Multiple NSW Government agencies, their operations and/or services impacted. May involve a series of incidents having cumulative impacts.

State owned corporation

Commercial businesses owned by the NSW Government: Essential Energy, Forestry Corporation of NSW, Hunter Water, Port Authority of NSW, Sydney Water, Landcom, Water NSW

Supply Chain Supply chain is a system of organisations, people, activities, information, and resources involved in supplying a product or service to a consumer

Systems

Software, hardware, data, communications, networks and includes specialised systems such as industrial and automation control systems, telephone switching and PABX systems, building management systems and internet connected devices

Whitelisting Authorising only approved applications for use within organisations in order to protect systems from potentially harmful applications