A NSW Government website

NSW Government
Digital NSW

Policy statement

Overview

Having strong cyber security capability and a culture of responsibility is an important component of the NSW Beyond Digital Strategy. It enables the effective use of emerging technologies and ensures confidence in the services provided by the NSW Government. Cyber security covers all measures used to protect systems and information processed, stored or communicated on these systems, from compromise of confidentiality, integrity and availability.

Cyber security is becoming more important as cyber risks continue to evolve. Rapid technological change in the past decade has resulted in increased cyber connectivity and more dependency on cyber infrastructure.

The NSW Cyber Security Policy is reviewed annually and updated based on agency feedback and emerging cyber security threats and trends.

Purpose

The NSW Cyber Security Policy outlines the Mandatory Requirements to which all NSW Government agencies must adhere to. Each Mandatory Requirement is supported by detailed requirements. These detailed requirements are a baseline of minimum requirements expected of agencies. The policy aims to reduce impacts to confidentiality, integrity and availability of services and information, by ensuring cyber security risks to the information and systems of NSW Government departments and agencies are appropriately managed. This policy is designed to be read by Agency Heads and all Executives, Chief Information Officers (CIOs), Chief Information Security Officers (CISOs), or equivalent, and audit and risk teams.

Scope

The NSW Cyber Security Policy applies to all NSW Government departments and public service agencies, including statutory authorities, and all NSW Government entities that submit an annual report to a Secretary of a lead department or portfolio, direct to a Minister or direct to the Premier. In this policy, references to “lead portfolio departments” or “portfolios” mean the departments listed in Part 1, Schedule 1 of the Government Sector Employment Act 2013. The term “agency” is used to refer to any or all NSW Government departments, public service agencies and statutory authorities. References to employees and contractors applies to people who have access to NSW Government systems and/or information and communications technology (ICT).

The NSW Cyber Security Policy applies to:

  • information, data and digital assets created and managed by the NSW public sector, including outsourced information, data and digital assets
  • ICT systems managed, owned or shared by the NSW public sector, including cloud services
  • operational technology (OT) and Internet of Things (IoT) devices that handle government data, government-held citizen data or provide government services.

The NSW Cyber Security Policy is not mandatory for state-owned corporations, non-government organisations, local government or universities. However, it is recommended for adoption by these organisations as a foundation of strong cyber security practice. Cyber Security NSW can work with these types of organisations to help implement the policy.

Local government can consider voluntary self-assessment against the Cyber Security Guidelines – Local Government. These are foundational cyber security requirements for local government modelled off the NSW Cyber Security Policy. These guidelines will be updated annually, in accordance with the annual review of the NSW Cyber Security Policy.

Risk-based implementation of the Policy

Whilst the NSW Cyber Security Policy applies across the entire agency and sets out minimum requirements for agencies, not all requirements can be uniformly implemented across the defined scope. For the scope of the Mandatory Requirements, agencies should ensure any use of exceptions for a system are documented and approved by an appropriate authority through a formal process.

Documentation for exceptions should include the following:

  • detail, scope and justification for exceptions
  • detail of compensating controls associated with exceptions, including:
    • detail, scope and justification for compensating controls
    • expected implementation lifetime of compensating controls
    • when compensating controls will next be reviewed
  • system risk rating before and after the implementation of compensating controls
  • any caveats placed on the use of the system as a result of exceptions
  • acceptance by an appropriate authority of the residual risk for the system
  • when the necessity of exceptions will next be considered by an appropriate authority (noting exceptions should not be approved beyond one year).

The appropriate use of a formal exception process, along with compensating controls, should not preclude an entity from being assessed as compliant.

This approach to exceptions is sourced from, and also applies to, assessments against the Australian Cyber Security Centre (ACSC) Essential Eight, consistent with the ACSC Essential Eight Assessment Process Guide.

Beyond the minimum requirements established within the Mandatory Requirements, agencies should take a threat and risk-based approach to cyber security implementation (see Threat-based cyber risk management). 

Assistance implementing the NSW Cyber Security Policy

Cyber Security NSW can provide guidance documents and toolkits to assist agencies with implementation of the NSW Cyber Security Policy. For copies of these documents, or for advice regarding the policy, please contact info@cyber.nsw.gov.au.

Agencies must identify their central portfolio CISO and maintain contact with them throughout the NSW Cyber Security Policy reporting period, especially if they require assistance meeting the reporting requirements outlined below.

Exemptions and extensions

Exemptions to the NSW Cyber Security Policy, and extensions to reporting, will only be considered in exceptional circumstances. To seek an exemption or extension, contact your portfolio CISO in the first instance. If the exemption request is deemed valid by your portfolio CISO they will contact Cyber Security NSW on your behalf.

Independent agencies may seek to raise an exemption or extension request directly with Cyber Security NSW, but are expected to advise their portfolio CISO of the request.

Requests must be made in writing to Cyber Security NSW at info@cyber.nsw.gov.au, prior to 30th September.