The Victorian government has launched a new five-year cybersecurity strategy to build resiliency against cyber threats and ensure government information, services, and infrastructure are protected and personnel are ready should the situation arise.
Under the Cyber Security Strategy released on Friday, the state government is aiming to protect sensitive citizen and other data against loss, malicious alteration, and unauthorised use, in the first instance.
The strategy [PDF] explains the state also wants government services, systems, and infrastructure to be capable of bouncing back during and following "serious cyber incidents".
As such, the state has a whole-of-government approach to how it will respond to threats against infrastructure, with the strategy highlighting cybersecurity capability across the public sector needs to be improved to become consistent, less fragmented, based on industry practice, and appropriate to the risk profile of each organisation.
It may also see the establishment of whole-of-government subscriptions for internet security and information security services.
"The threat environment we face is increasing at all levels of government and against every system we operate," the strategy explains. "The time for an agency-by-agency (only) approach has passed. We need to address these risks strategically, and where it makes sense, holistically."
"The opportunity for the government as a whole is to build and sustain strong cybersecurity capabilities across all agencies."
The state government wants to bake-in security and protection capabilities into new digital services for citizens and improve the overall security and viability of Victorian government core infrastructure.
As such, the strategy has been published with six key principals, with the first vowing to request the private sector share security information with the government.
Another principal will see the state government implement capabilities that have been tried and tested elsewhere, as long as they have the ability to scale, as required under principal four.
The strategy has also been broken out into 23 points under five priorities it said are designed to "uplift the cybersecurity capacity" of the government. It also details the timeline for when each point is to be delivered.
The Victorian government will be appointing a chief information security officer in September within the Department of Premier and Cabinet under a new cybersecurity office that will be established to oversee the rollout of the strategy and co-ordinate cross-government action.
The CISO will work closely, the strategy explains, with the Privacy and Data Protection Deputy Commissioner, who currently regulates information privacy and protective data security. They will also work with Emergency Management Victoria in a bid to better understand risks and ensure a consistent whole-of-government approach to cybersecurity, as well as with the Victorian Managed Insurance Authority which provides insurance against damage to state assets or liabilities to third parties arising from cyber incidents.
The new cybersecurity office will also work with CenITex, the Victorian government's tumultuous shared services provider for IT, as well as with the federal government and its cybersecurity-focused agencies, including the Australian Cyber Security Centre and the Australian Signals Directorate, following the federal government's cybersecurity strategy launched in April last year.
"As organised crime and others become more sophisticated in hacking and disrupting digital services, it's crucial government steps up to better protect against these cybersecurity threats," said Special Minister of State Gavin Jennings.
"Victoria's first ever cybersecurity strategy ensures we can stay ahead of the cyber criminals and develop the infrastructure, systems, and processes needed to protect government services and information.
"This is also good for jobs and our economic prosperity, as we build upon Victoria's position as the tech capital of Australia and a world-leader in tackling cyber-threats."
Under the strategy, government agencies will be required to develop and present a quarterly cybersecurity briefing and status reports to the Victorian Secretaries Board and the State Crisis and Resilience Committee, as well as undertake cybersecurity operational health checks.
The state will also develop a workforce plan to attract, develop, and retain specialist cybersecurity skills.
The strategy was been developed after the Victorian Government Information Technology Strategy, released in May 2016, called for the development of a cybersecurity strategy, noting the security of information and infrastructure is essential to the functioning of government.