Cyber security is critical in ensuring the NSW Government provides secure, trusted and resilient services. Cyber Security NSW provides an integrated approach to preventing and responding to cyber security threats across NSW; safeguarding our information, assets, services and citizens.
Formerly the Office of the Government Chief Information Security Officer, the function was renamed Cyber Security NSW in May 2019. At that time, I was appointed to the newly established role of NSW Chief Cyber Security Officer (CCSO). These changes reinforce cyber security as a shared responsibility, as is our collective response.
Cyber Security NSW continues to focus on enhancing whole-of-government cyber security capabilities and standards, boosting cyber incident response coordination, and overseeing the development of strategic cyber security policy positions.
We collaborate with NSW agencies, emergency management, law enforcement, the private sector and other jurisdictions to enhance whole-of-government cyber capability.
A key component of my role is the provision of strategic advice to the NSW Government to drive a culture of risk management and awareness to support greater resilience to cyber security threats.
The first reporting against the new Cyber Security Policy has identified there is a need to uplift cyber security maturity across NSW.
NSW Government is not alone with State and Federal government agencies also working to boost cyber maturity levels.
As the leading State for digital transformation, NSW must also take a lead in ensuring its cyber hygiene levels keep pace with this transformation.
A focus for the coming year will be continuing to work with departments to strengthen whole-of-government cyber security and seeking funding for our centralised function to continue to protect our digital systems and services.
I am encouraging Chief Information Security Officers to work within their respective department to highlight cyber security risks and to seek funding for maturity uplift requirements.
Achievements Sept 2018 - Sept 2019
Since the launch of the NSW Cyber Security Strategy in September 2018, significant progress has been made in uplifting cyber security risk awareness amongst NSW Government decision-makers.
We have also achieved major milestones by leading and coordinating initiatives to boost the cyber security capability and effectiveness of NSW Government agencies in a rapidly evolving threat environment.
Cyber Security Strategy
In September 2018 we launched the NSW Government Cyber Security Strategy promoting for the first time an integrated whole-of-government approach to preventing and responding to cyber security threats.
Cyber Security Incident Emergency Sub Plan
In December 2018 we created the Cyber Security Incident Emergency Sub Plan which includes cyber security as part of the NSW State Emergency Management Plan arrangements for the first time. This prepares us for the potential consequences of a significant cyber security incident or crisis.
NSW Cyber Security Policy
In February 2019 we launched the NSW Cyber Security Policy, which introduced enhanced cyber security maturity reporting requirements for departments compared to the Digital Information Security Policy it replaced.
This Policy created new requirements for all NSW Government agencies to have robust, risk-based cyber security in place and to keep customers safe from threats to their information and the critical services they rely on.
Essential 8
For the first time in NSW, government agencies are now required by 31 August each year to assess their maturity against the Australia Cyber Security Centre's 'Essential 8', identify and report their 'crown jewels' (critical assets) and high and extreme risks. This is in addition to reporting against an expanded set of mandatory requirements.
We will continue to use insights gained from analysis of reporting data to identify the most effective strategies to uplift whole-of-government cyber maturity and systematically address the most critical cyber security risks, working closely with department cyber security teams. For the first time a clear picture of whole-of-government cyber security maturity has been developed in NSW and this situational awareness will strengthen with each reporting period.
Cyber security exercises
We held four cyber security exercises to test the Government's readiness around the NSW Cyber Security Incident Response Plan and NSW Cyber Security Incident Emergency Sub Plan (Sub Plan). This included:
- simulating the communications process within government and to the public during a significant cyber security incident and crisis
- testing contact details of key staff
- testing the response of agency leadership to a realistic scenario of a cyber security attack causing disruption to critical infrastructure and government services
- exercising the operational relationship between Cyber Security NSW and the Information & Privacy Commissioners in the event of a significant cyber incident or crisis. As this currently falls outside the formal arrangements under the Sub Plan, the exercise allowed both parties to further understand their respective roles and responsibilities.
Training, building community, capability uplift
We commenced implementation of a Domain-based Messaging, Authentication, Reporting and Conformance (DMARC) and brand protection solution across government. This ongoing project is crucial to protecting customers of NSW Government services. Working with cyber security teams in all departments, we are making it harder for cyber criminals to send fake emails and impersonate NSW Government websites.
We established a subscription with IDCARE, the leading organisation providing identity and cyber support to the community. The subscription enables any department to refer customers affected by online fraud and identity theft. This allows customers to receive practical assistance and tailored advice from IDCARE on recovering their identities and managing the impact of stolen credentials.
We are working closely with agencies to improve and encourage all departments to develop a cyber security uplift strategy. We are also developing a business case in which department uplift will be a key component.
We procured and rolled out an online training platform to cyber security teams across NSW Government to uplift technical skills of staff.
We conducted a Cyber Security for Executives training course for over 70 executives across government, with further courses scheduled for early 2020.
We revitalised the Cyber Security Senior Officers' Group (CSSOG). This group consists of the senior risk owners for cyber security at the Deputy Secretary level across NSW Government. It is now chaired by the Secretary of Customer Service, Em Hogan, and has a direct reporting line to the Secretaries Board.
We worked to improve cyber culture within agencies through significant increase in tactical, operational and strategic intelligence products disseminated to stakeholders on cyber threats, vulnerabilities and risks across NSW Government.
We finalised key documents including the Cyber Security NSW Incident Playbook and NSW Cyber Incident Response Plan to ensure cyber incident response is consistent and coordinated at an operational and strategic level in NSW.
The year saw a significant increase in stakeholder engagement and partnerships with Commonwealth and state law enforcement and state counterparts at an operational level. This has successfully increased the coordination of incident response through improved timeliness and transparency in information sharing, including the provision of NSW threat analysis to Commonwealth agencies.