Since establishment in March 2017, the office of the GCISO has been focussed on laying all the foundational pieces to support a coordinated NSW government response to any cyber threat.
Because it is rare for serious cyber threats to be limited specifically to one organisation, coordination is the key pre-requisite to effective cyber security. Cyber security conducted in a siloed, agency by agency manner only increases the problem because the opportunity is lost for others to quickly pre-empt and avoid emerging threats.
With great support from agencies, we have achieved a lot in a short space of time to make sure that we are addressing the increasing risks to our systems and information, especially in the following areas:
Governance: a deputy secretary-level body of cyber risk “owners” from all departments, the Cyber Security Senior Officers’ Group has operated alongside the existing technology governance group, the ICT and Digital Leadership Group. In addition, to ensure we have the best advice from outside government, we also set up a Cyber Security Advisory Council.
Operational support & coordination: an operations team to help agencies with threat email advisories and support in managing incidents when they happen.
Budget: $20 million over four years to fund the central whole-of-government cyber security function to better coordinate and improve existing activities across NSW Government agencies.
Cyber Security Strategy: launched in September 2018 the NSW Cyber Security Strategy outlines our risk-based approach with an action plan for future initiatives on a wide range of areas including training and awareness, cyber skills and career pathways.
Cyber Security Policy: We have developed a new Cyber Security Policy which replaces the Digital Information Security Policy. This has recently been approved and will be made public shortly – watch for a blog on this topic soon.
Whole of Government response arrangements: approved Whole of Government incident response plans are in place including those dealing with emergencies.
Response exercises: Of course there’s no point in having response plans if no one knows about them. These plans need to be second nature so that everyone knows what they need to do if things go wrong. So another major initiative has been our Cyber Incident Response Exercises – we have done four so far. These involved running through a fictitious scenario to test how staff and executive management respond. We are using the results of these exercises to clarify roles and responsibilities of all staff in the public sector. This is very important in building our cyber resilience and preparedness.
Procurement: better value by purchasing services for whole of government that would be prohibitive if every agency did them separately. As part of this work, we contracted a service (known as DMARC) to protect Government websites from spoofing. We are also making sure that as procurement takes place, the right questions are asked and the right terms are applied in contracts. We will talk more about this in future too.
Cyber risk assessment: commissioned a ‘Passive Security Assessment’ which scanned the total of 3,257 unique web domains and subdomains used by NSW Government agencies and provided useful vulnerability information to many agencies.
NSW is a digital transformation leader, and we are making sure that as we transform, we also keep our eyes firmly fixed on securing the information and services for which we are responsible.