The New South Wales government has on Friday published its cybersecurity strategy, taking a whole-of-government view on how to manage risk, borrowing the framework laid out by the National Institute of Standards and Technology (NIST).
The 20-page strategy [PDF] focuses on six themes: Lead, prepare, prevent, detect, respond, and recover, that form the state's Action Plan.
Notably, the strategy points to the creation of a mandatory cyber incident reporting scheme, inter-agency information-sharing, and cybersecurity-focused training for public servants.
Under the theme of lead, the government this year said it will be focusing on developing shared cybersecurity terminology.
Prepare sees the state develop a "cyber aware culture" based on a risk management approach, establish web portal for training and "collaboration", and develop a cyber skills pathway model for NSW agencies.
An initiative under prevent will be the introduction of a "secure-by-design" approach for new initiatives, including for the Internet of Things and connected infrastructure.
In addition to the mandate to share information between state entities, detect will also see the establishment of a whole-of-government threat intelligence platform.
While respond will also see the government stand up a cybersecurity incident response and remediation advisory service, in addition to introducing mandatory cyber incident reporting requirements.
Lastly, recover will require the establishment of an identity recovery service for customers of NSW government whose identities become compromised from a cyber incident.
The strategy follows the NSW Auditor-General in March asking the state to create a whole-of-government capability that encourages the sharing of cybersecurity and threat information.
During the Auditor-General's probe, it was revealed that out of the 10 agencies investigated, two have good detection and response processes, four had a medium capability to detect and respond to incidents in a timely manner, and the remaining four had a low capability.
While it was found most agencies have incident response procedures, some lacked guidance on who to notify and when, while some did not have response procedures at all.
The strategy that hopes to remedy this will be guided by the Cyber Security Senior Officers Group (CSSOG), which was established under the office of the government chief information security office (GCISO).
The NSW government announced the appointment of its first government chief information security officer in March 2017, hiring Dr Maria Milosavljevic from Austrac to fill the position.
At the time, it was said Milosavljevic would work with industry, all levels of government, and international governments on a "collaborative" approach to cybersecurity.
As GCISO, she is also charged with developing a set of standards with NSW government agencies to streamline the cybersecurity approach across government.
Although NSW government agencies all have a role to play in ensuring a "cyber safe NSW", the strategy says individual agencies will remain responsible for maintaining security of their own systems, services, and infrastructure.
"The group's focus is on supporting the GCISO in minimising the impact of cyber risk to NSW (citizens, business, and government agencies) and integrating cyber risk into the emergency management and counter terrorism frameworks," the strategy explains.
- NSW government agencies barely pass Auditor-General's security probe
- NSW agencies struggle with security basics
- Dominello lifts the lid off NSW's data-driven Digital Government Strategy
- Service NSW wants to share technology for cross-border service delivery
- Australia's cybersecurity strategy: Continue the omnishambles