Detailed requirements

1.1.1 Ensure the roles and responsibilities set out in the NSW Cyber Security Policy are assigned and performed.

1.1.2 Define and allocate additional roles and responsibilities for cyber security, and review these according to organisational need.

1.2.1 Have a governance committee (shared or dedicated) at the executive level that:

• has appropriate delegations/seniority to make decisions on cyber security matters
• meets at least quarterly
• ensures that the Agency Head, as the ultimate authority for cyber security, is regularly briefed on cyber security risks, related issues and corrective actions.

1.2.2 Ensure the committee has an agreed terms of reference with accountability for cyber security governance over information security, as well as the cyber security of ICT, OT and IoT systems.

1.2.3 Ensure the Agency Head has ultimate accountability for the cyber security of the agency.

1.4.1 Develop and maintain a cyber security strategy that aligns to the entity's strategic business objectives and captures key threats, risks, vulnerabilities, actions and initiatives to make improvements and address any gaps.

1.4.2 The cyber security strategy is endorsed by the Agency Head.

1.6.1 Establish and maintain inventories for enterprise ICT (including cloud), software, OT, IoT and network assets.

1.6.2 Establish and maintain processes for periodically reconciling accuracy and completeness of asset inventories.

1.6.3 Establish and maintain processes for managing the lifecycles of assets and software, including risk-managed disposal and replacement of end-of-support assets and software.

1.6.4 Identify and document external upstream and downstream dependencies of enterprise ICT (including cloud), OT and IoT assets, covering at least Crown Jewel assets.

1.7.1 Implement a Crown Jewel identification framework and identify Crown Jewel assets.

1.7.2 Classify systems and information for business value, mission criticality and sensitivity (as defined in the NSW Information Handling & Classification Guidelines).

1.8.1 Establish and maintain inventories for data assets covering at least Official: Sensitive classification (as defined in the NSW Information Handling & Classification Guidelines).

1.8.2 Define data retention requirements (with reference to any applicable legislative and policy requirements) for: categories of data, including minimum and maximum retention timeframes; and, for at least Crown Jewels, conduct periodic reconciliation of data assets against data retention requirements.

1.8.3 Establish and maintain processes for secure disposal of data and associated assets in accordance with the type of data and its information classification.

1.9.1 Define risk appetite and risk tolerance for cyber risks and have the cyber risk appetite approved by the Secretary or relevant Agency Head.

1.9.2 Ensure cyber security risks in all areas of the agency are identified, assessed, managed, documented and reported as part of (or consistent with) the agency's enterprise risk management framework.

1.9.3 Ensure the Agency Head or authorised officer has formally approved applicable residual risks where NSW Cyber Security Policy Mandatory Requirements are not implemented and in line with agency's risk management acceptance criteria.

1.9.4 Escalate unmitigated cyber risks exceeding risk appetite or risk tolerance to delegates in line with the agency's risk management framework or acceptance criteria.

1.10.1 Establish and maintain an inventory of third-party service providers including ICT service providers.

1.10.2 Ensure there is a contractually supported process for third-party service providers to notify the agency of suspected or actual security incidents, as well as data breaches.

1.10.3 Have processes to monitor and assess adherence of third-party service providers to cyber security requirements, including using assurance reports, audits, test results or other forms of evaluations.

1.10.4 Include clauses in contracts with third-party service providers for cyber security requirements and break clauses associated with failure to meet security requirements.

1.11.1 Establish and maintain a vulnerability management process for the identification and triage of technical vulnerabilities.

1.11.2 Assess alerts from Cyber Security NSW and action alerts applicable to the agency's systems, consistent with the agency's vulnerability management processes.

1.12.1 Ensure cyber security requirements are assessed within IT and enterprise change management processes, including impacts to implement and maintain any required cyber security controls.

1.12.2 Manage changes to cyber security technical controls through enterprise IT change management processes.

1.12.3 Test applicable cyber security controls and secure configurations upon completion of a significant change and update relevant documentation.

2.2.1 Develop and maintain a cyber incident response plan.

2.2.2 Exercise the cyber incident response plan at least annually.

2.2.3 Perform post-incident reviews where results are used to update existing processes and templates.

2.2.4 Develop and maintain a cyber incident register.

2.3.1 Establish and maintain agency's incident management procedures. Have a defined workflow that indicates when and where information and intelligence should be shared, which includes reporting of cyber event information to Cyber Security NSW.

2.3.2 Report all cyber incidents to Cyber Security NSW.

2.4.1 Include cyber incident scenarios in business continuity and disaster recovery plans.

2.4.2 Include continuity of cyber security operations in business continuity and disaster recovery plans.

3.1.1 Define cyber security awareness training requirements for all staff regarding evolving threats, compliance obligations and secure workplace practices.

3.1.2 Mandate completion of cyber security awareness training for employees and contractors, both annually and when onboarding.

3.1.3 Conduct continuous user education regarding evolving threats, compliance obligations and secure workplace practices through awareness activities (outside mandatory training) that align with the defined training plan and cyber risk appetite of the entity.

3.1.4 Conduct regular phishing simulations.

3.1.5 Define cyber security awareness training for high-risk roles, including privileged users, finance/HR teams, executives, etc.

3.1.6 Mandate completion for employees and contractors in high-risk roles both annually and when onboarding.

3.2.1 Establish a process for granting, maintaining and revoking access for agency systems, applications and information to ensure only authorised access.

3.2.2 Remove access within a defined period of an employee's termination or the employee no longer needing access to the information or system.

3.2.3 Conduct routine user access reviews to ensure that access is being removed for terminated staff, inactive accounts and for privileges no longer required upon a role change.

3.2.4 Establish a continuous improvement process to address identified access control gaps.

3.3.1 An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities.

3.3.2 A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities.

3.3.3 A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in online services.

3.3.4 A vulnerability scanner is used at least weekly to identify missing patches or updates for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software and security products.

3.3.5 Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.

3.3.6 Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.

3.3.7 Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software and security products are applied within two weeks of release.

3.3.8 Online services that are no longer supported by vendors are removed.

3.3.9 Office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player and security products that are no longer supported by vendors are removed.

3.4.1 An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities.

3.4.2 A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities.

3.4.3 A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices.

3.4.4 A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices.

3.4.5 Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.

3.4.6 Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.

3.4.7 Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within one month of release.

3.4.8 Operating systems that are no longer supported by vendors are replaced.

3.5.1 Multi-factor authentication is used to authenticate users to their entity's online services that process, store or communicate their entity's sensitive data.

3.5.2 Multi-factor authentication is used to authenticate users to third-party online services that process, store or communicate their entity's sensitive data.

3.5.3 Multi-factor authentication (where available) is used to authenticate users to third-party online services that process, store or communicate their entity's non-sensitive data.

3.5.4 Multi-factor authentication is used to authenticate users to their entity's online customer services that process, store or communicate their entity's sensitive customer data.

3.5.5 Multi-factor authentication is used to authenticate users to third-party online customer services that process, store or communicate their entity's sensitive customer data.

3.5.6 Multi-factor authentication is used to authenticate customers to online customer services that process, store or communicate sensitive customer data.

3.5.7 Multi-factor authentication uses: something users have and something users know; or something users have that is unlocked by something users know or are.

3.6.1 Requests for privileged access to systems, applications and data repositories are validated when first requested.

3.6.2 Privileged accounts (excluding those explicitly authorised to access online services) are prevented from accessing the internet, email and web services.

3.6.3 Privileged users are assigned a dedicated privileged account to be used solely for duties requiring privileged access.

3.6.4 Privileged accounts explicitly authorised to access online services are strictly limited to only what is required for users and services to undertake their duties.

3.6.5 Privileged users use separate privileged and unprivileged operating environments.

3.6.6 Unprivileged accounts cannot login to privileged operating environments.

3.6.7 Privileged accounts (excluding local administrator accounts) cannot login to unprivileged operating environments.

3.7.1 Application control is implemented on workstations.

3.7.2 Application control is applied to user profiles and temporary folders used by operating systems, web browsers and email clients.

3.7.3 Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set.

3.8.1 Microsoft Office macros are disabled for users that do not have a demonstrated business requirement.

3.8.2 Microsoft Office macros in files originating from the internet are blocked.

3.8.3 Microsoft Office macro antivirus scanning is enabled.

3.8.4 Microsoft Office macro security settings cannot be changed by users.

3.9.1 Web browsers do not process Java from the internet.

3.9.2 Web browsers do not process web advertisements from the internet.

3.9.3 Internet Explorer 11 is disabled or removed.

3.9.4 Web browser security settings cannot be changed by users.

3.10.1 Backups of data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements.

3.10.2 Backups of data, software and configuration settings are synchronised to enable restoration to a common point in time.

3.10.3 Backups of data, software and configuration settings are retained in a secure and resilient manner.

3.10.4 Restoration of data, applications and settings from backups to a common point in time is tested as part of disaster recovery exercises.

3.10.5 Unprivileged accounts cannot access backups belonging to other accounts.

3.10.6 Unprivileged accounts are prevented from modifying and deleting backups.

3.11.1 Unneeded accounts, components, services and functionality of all relevant system categories (e.g. operating systems, application systems, database management systems, etc.) are disabled or removed.

3.11.2 Default accounts or credentials for operating systems, including pre-configured accounts, are changed.

3.11.3 Only authorised users are permitted access to modify settings for the security functionality of operating systems.

3.12.1 When manually importing data to systems, the data is scanned for malicious and active content.

3.12.2 Data at rest is encrypted using an ASD-approved cryptographic algorithm.

3.12.3 All data communicated over network infrastructure is encrypted.

3.13.1 Employ email anti-spoofing measures, including use of domain-based message authentication, reporting and conformance (DMARC), Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).

3.13.2 Email content filtering is implemented to filter potentially harmful content in email bodies and attachments.

3.13.3 Emails arriving via an external connection where the email source address uses an internal domain, or internal subdomain, are blocked at the email gateway.

3.14.1 Antivirus software is implemented on endpoints and servers.

3.14.2 A software firewall is implemented on endpoints and servers to restrict inbound and outbound network connections to an approved set of applications and services.

3.14.3 Mobile devices used by staff to access government systems have enforced separation of work data from personal data.

3.15.1 Networks are segregated into network zones according to the criticality of servers, services and data.

3.15.2 Default accounts or credentials for network devices, including pre-configured accounts, are changed.

3.15.3 Prevent connections to or from known malicious endpoints, using a Protective Domain Name System (PDNS) service or other security mechanism.

3.15.4 Network access controls are implemented to limit network traffic within and between network segments to only those required for business purposes.