A NSW Government website

NSW Government
Digital NSW

Mandatory Requirements

The Mandatory Requirements are a minimum baseline for NSW Government agencies to implement. The baseline contains a combination of management and governance practices required to establish an effective cyber security program, as well as key systems-based controls to improve cyber hygiene and help agencies better protect themselves against common threats. This includes incorporation of the ACSC Essential Eight mitigation strategies (Mandatory Requirements 3.3 – 3.10).

The Mandatory Requirements are supported by detailed requirements (see Detailed requirements), which further articulate specific expectations for the practices that are to be implemented and reported on using the assurance assessment.

1. Govern and identify

1.1 Allocate and perform roles and responsibilities for cyber security.

1.2 Have an executive-level governance committee with appropriate authority to make decisions about cyber security, including OT/IoT.

1.3 Ensure that the Audit and Risk Committee (ARC) is briefed regularly on cyber security risks, related issues and corrective actions.

1.4 Develop and maintain a cyber security strategy.

1.5 Develop and maintain formalised plans, policies and processes for cyber security practices.

1.6 Establish and maintain processes for asset inventory management and identify asset dependencies.

1.7 Assess and identify Crown Jewels and classify systems.

1.8 Govern the identification, retention and secure disposal of data.

1.9 Define risk tolerance and risk appetite, and manage cyber security risks.

1.10 Identify and manage third-party service provider risks, including shared ICT services supplied by other NSW Government agencies.

1.11 Establish and maintain vulnerability management processes.

1.12 Ensure cyber security requirements and impacts are assessed as part of change management processes.

2. Detect, respond and recover

2.1 Implement event logging and continuous monitoring to detect anomalous activity.

2.2 Maintain a cyber incident response plan and use exercises and post-incident reviews to continuously improve the plan.

2.3 Report cyber incidents and provide information on threats to Cyber Security NSW.

2.4 Include cyber security in business continuity and disaster recovery planning.

3. Protect

3.1 Conduct awareness activities, including mandatory cyber security awareness training.

3.2 Implement access controls to ensure only authorised access.

3.3 Patch applications (ACSC Essential Eight).

3.4 Patch operating systems (ACSC Essential Eight).

3.5 Implement multi-factor authentication (ACSC Essential Eight).

3.6 Restrict administrative privileges (ACSC Essential Eight).

3.7 Implement application control (ACSC Essential Eight).

3.8 Securely configure Microsoft Office macro settings (ACSC Essential Eight).

3.9 Implement user application hardening (ACSC Essential Eight).

3.10 Maintain backups of important data, software and configuration settings (ACSC Essential Eight).

3.11 Establish and maintain secure configurations.

3.12 Define and implement data security controls.

3.13 Implement email security controls.

3.14 Implement controls for endpoint protection, including mobile devices.

3.15 Implement network security controls.