The NSW Cyber Security Standards Harmonisation Taskforce has handed down a bunch of recommendations that ask for industry and government to consider if they want to move forward by being protected harmoniously.
The recommendations made in the taskforce's report [PDF] cover seven themes: Cloud as a "digital backbone", defence, education, the energy sector, financial services, health, and telecommunications and the Internet of Things (IoT).
When moving workloads to the cloud, the taskforce wants ISO or IEC standards followed as baseline requirements for information security, protective security, and supply chain security and risk management.
With the Australian Signals Directorate announcing in March it would be shuttering the current form of its cloud certification program, the taskforce has suggested that Australian governments, in relation to any new proposed cloud security requirements for services up to, and including, protected level, should consider a combination of compliance with ISO/IEC 27001, SOC 2, and potentially FedRAMP2 as part of a uniform security baseline.
It also wants Standards Australia to work with government and industry to develop material, such as a handbook, on how to adopt globally recognised standards.
In addition, the taskforce is asking for an education sector-specific set of standards to be developed to ensure current risk management procedures are up to date.
Likewise, it's recommending the development of material that clearly communicates any business benefits around the adoption and use of standards to improve cybersecurity posture in the energy sector. This includes ensuring boards and executives understand the severity of weak systems.
"This should include in relation to managing their legal obligations (for example, the Corporations Act, as well as energy-specific statutes) and the information should be rendered as clearly as possible," the report said.
Building on the finance sector's Consumer Data Right obligations, the taskforce has suggested creating a new set of ISO standards that cover all of the sector's regulatory requirements.
The health sector, meanwhile, should take a look at global peers and ensure that any future guidance on cloud that they develop or mandate, as foreshadowed by proposed critical infrastructure reforms, takes a maturity-based approach, which factors into consideration entity size in relation to risk profile.
"Australian governments … should explore the provision of additional support for market entrants to improve access to certification or standards advisory services in strategic areas, such as cyber readiness for Medtech, to support export growth," the taskforce recommended.
"This might take the form of targeted vouchers or grants, or supported advisory programs. This support could be supported by a formalised assessment process that also takes into account expected return on investment."
The taskforce has also asked the Australian government consider convening a multi-stakeholder IoT Working Party. It said Australian governments, in creating new digital policy documents and/or directives, should require agencies to explicitly consider cybersecurity considerations, including recognised standards, in development and later adoption.
"This might, for example, be prior to Cabinet or expenditure review committee consideration," it added.
Stood up in June, the NSW Cyber Security Standards Harmonisation Taskforce was charged with addressing the risks posed by cyberspace, such as theft of an organisation's intellectual property or the disclosure of sensitive information. To address such risks, the taskforce has been working towards the adoption and use of common standards.
The taskforce is a joint effort between the NSW government, Standards Australia, and AustCyber, the non-profit organisation charged with growing a local cybersecurity ecosystem and facilitating its global expansion.
While the taskforce was initiated by a state government minister, AustCyber CEO Michelle Price said she encourages industry and all levels of governments across the country to review and implement the recommendations outlined in the report.
"Ultimately, a globally competitive Australian cybersecurity sector will underpin the future success of every industry in the national economy," she wrote in her foreword. "Together, let's foster innovation and generate increased investment and jobs through the creation and commercialisation of cybersecurity products and services, utilising agreed standards to build a more secure Australia."
- Service NSW expecting cyber attack to set it back AU$7m in legal and investigation costs
- NSW government sets up cyber and privacy resilience group to keep customer data safe
- New South Wales to implement sector-wide cybersecurity strategy
- Unknown commercial entity blamed for NSW driver's licence data breach
- The disappointment of Australia's new cybersecurity strategy
- Australian government releases voluntary IoT cybersecurity code of practice