Minimum you need to do
Apply guiding principles and adhere to cyber security best practice.
Align with best practice
Australian Cyber Security Centre’s Essential 8 Framework
Ensure that where relevant, you design your digital service to meet maturity level 3 of the ACSC Essential 8 Framework. They are strategies to help mitigate cyber security incidents caused by cyber treats. NSW Government agencies should use them as the baseline for all digital systems.
Secure coding standards
Your development team should align practices with a secure coding standard. Teams can use the checklist in the Open Web Application Security Project’s Secure Coding Practices Guide (OWASP guide) through their software development cycle. The practices will help mitigate most of the common software vulnerabilities. Where possible, you should automate processes to reduce human errors in code.
If your customers need to authenticate with the service, you should provide an option for multi-factor authentication (MFA). Provide MFA via time-based one-time passwords (TOTP) or hardware tokens.
Managing user access
There are no current technical standards around password control practices.
Cyber Security NSW recommends you allow customers to paste passwords on NSW Government websites. This aligns with the National Institute of Standards and Technology (NIST), Special Publication 800-63B Digital Identity Guidelines – Authentication and Lifecycle Management. By allowing customers to paste passwords you are facilitating their use of password managers.
Let them paste passwords, a blog post by the National Cyber Security Centre
The Cobra Effect that is disabling paste on password fields, an article by Troy Hunt, a Microsoft Regional Director.
Ensure that customers are not using bad passwords
When customers register for a digital services account, you should notify them if the password they have chosen has been seen in a known data breach. There are a variety of ways to do this. Base your approach on the individual circumstances of your project, in consultation with your cyber security team.
Ensure you manage the log files your digital service generates and analyse them for any undesired behavior.
Ensure that your service encrypts data in transit and at rest. Classify data in the correct way.
Create a security plan
Create a security plan to manage the ongoing security of the service. A security plan is a 'living' document that you will need to review and revise. Ensure its goals and how you manage security risks keep pace with:
- changes in the service
- emerging threats
- changes in technology and policies
- operation environment.
Include a detailed risk component. This will ensure you outline all risk and mitigation for governance and reporting purposes.
Talk to your cyber security team to help you develop your plan. You should involve people with the right level of knowledge and expertise in managing security risk. They should know about the strategic goals and objectives of your agency and cluster.
Create a risk plan
A risk plan identifies security risks to the digital service, their impact and likelihood of occurring. Your cyber security expert can help you create a risk plan. You should include the risk plan in your overarching plan for ongoing security.
NSW Treasury’s Risk Assessment and Risk Register Template is a tool to help agencies develop and implement their risk management framework and processes.
When you develop your risk plan you should consider the following:
- Define your system so you can select controls to provide the right level of cyber security protection. Consider the <system criteria>.
- Identify risks, their impact and the likelihood that they will happen
- How you will report and respond to any incidents and breaches. Talk to your information management security team to know who you need to report incidents and breaches to.
How to show you’ve met cyber security best practice
You will have:
consulted your information security team and used the OWASP Guide
developed a plan for managing the ongoing security of your service in consultation with your cyber security expert
developed a risk plan that addresses security risk, and the impact and likelihood of the event
recorded how your team can report and respond to breaches and incidents.