Many State governments have recently undergone a change in policies surrounding cyber security as a result of increasing cybercrimes.
Published in January 2020, the Australian Government Information Security Manual outlines a risk-based framework that organisations can apply to protect their systems and information from cyber risks. Its principles have been grouped into four key activities:
- Govern: Identify and manage security risks
- Protect: implement controls to reduce security risks
- Detect: detect and understand incidents and events
- Respond: Respond and recover from incidents
The manual is not a mandatory requirement and does not override legislative or legal obligations.
To help government departments and public service agencies understand their state requirements, a summary has been provided.
New South Wales
Effective from February 2019, the NSW Cyber Security Policy replaces the NSW Digital Information Security Policy 2015.
The policy aims to protect systems from a compromise of confidentiality, integrity, and availability of data, by strengthening cyber security governance and controls, identifying operationally vital systems, developing a cyber security culture and implementing an all-of-government approach to cyber incident response.
Mandatory for all NSW Government Departments and Public Service Agencies, the policy covers information and communication technology (ICT) systems and industrial automation and control systems (IACS) that handle government or citizen data or provide government services.
The policy contains five key requirements:
- Planning and Governance
Centered around leadership’s commitment, government departments and public service agencies must provide adequate support throughout the management framework and cyber security plan. - Cyber Security Culture
Adequate staff awareness of cyber security risks, regular training, proper screening is needed to foster a cyber security culture. - Manage Cyber Security Risks
Agencies must implement an information security management system (ISMS) or cyber security management system (CSMS) compliant to recognised standards such as ISO/IEC 27001 or ISA/IEC62443 (for IACS). Implement and report against the ACSC Essential 8 - Resilience
As cyber risks evolve, organisational resilience must evolve too. An up-to-date cyber incident response plan must be maintained and tested at least annually. Any cyber incidents must be reported according to the NSW Cyber Security Response Plan. - Report Against the Requirements
All requirements must be reported annually by August 31 to Cyber Security NSW and their Agency Head of compliance.
Queensland
Effective from October 2018, the Queensland Government Information Security Policy (IS18:2018) seeks to ensure all departments apply a risk-based approach to information security, maintaining confidentiality, integrity, and availability.
Applicable for all Queensland Government departments, the policy aims to enable an appropriate response to the changing environment by aligning to international best practice approaches. Public Services must also reference the policy in the context of internal controls, financial information management systems and risk management.
The policy contains five key requirements:
- Departments must implement an ISMS based on ISO 27001
Aligning to international best practices, departments must implement, operate and maintain an ISMS based on the current version of ISO 27001. - Departments must apply a systematic and repeatable approach to risk management
A risk management framework must be integrated into the core corporate risk management processes. - Departments must meet minimum security requirements
Compliance must be met with the: - Departments accountable officers must obtain security assurance for systems
Accountable officers must apply security assurance to systems based on the criticality and significance of the system. - Accountable officers must attest to the appropriateness of departmental information security
Departmental accountable officers must provide evidence of the performance of the management system. This must be publicly accessible, through the website or annual report.
Victoria
On October 28, 2019, The Victorian Protective Data Security Standards were revoked in accordance with sections 86 and 87 of the Privacy and Data Protection Act 2014. This has led to the development of the Victorian Protective Data Security Standards V2.0.
V2.0 will be updated in early 2020.
For more information, visit the Victorian Protective Data Security Standards V2.0 website.
South Australia
Effective from December 2019, the South Australian Cyber Security Framework (SACSF) replaces the Information Security Management Framework (ISMF).
Mandatory for all South Australian Government public sector agencies, suppliers and service providers to government agencies, Agencies will have until December 2020 to be compliant to the framework.
The framework adopts a risk-based approach to cyber security management to ensure cyber security risks are managed in an acceptable manner.
The framework contains 21 policy statements that grouped into four principles:
- Principle One: Governance
Senior leadership must be held accountable for the implementation and success of the management system, ensuring clear roles and responsibilities are put in place to effectively manage cyber security risks. - Principle Two: Information
Maintain the confidentiality, integrity, and availability of information and systems through current incident response plans, supporting business resilience plans and controlled access to information. - Principle Three: Personnel
Ensure employees and contractors are the right people for the job. This can be achieved through screening, continual education, and awareness of cyber risks. - Principle Four: Physical
Provide a safe and secure location for people, information and assets.
Tasmania
Effective from April 2011, the Tasmanian Government Information Security Framework applies a risk management approach for all agencies to implement.
The Information Security Policy Manual serves as the primary document that outlines the high-level requirements. The policy is based upon the availability, integrity, confidentiality, and proportionality of information.
The policy contains 7 key requirements:
- Information Security Governance and Management
The Agency should implement an information security management system (ISMS) using the ISO 27001 framework. A committee of senior management and leaders must be formed to implement and maintain the management system. - Risk Management
Regular information security risk assessments should be conducted to ensure an appropriate risk management strategy is implemented. - Resource Management
Appropriate resource management must be implemented to protect business activity records, control physical access to information and control the use of ICT. - Identify and Access Management
Agencies must protect information by ensuring only those authorised can access information assets. Authorised personnel must be screened, prior to access, using the Tasmanian Government Identity and Access Management Toolkit. - Personnel and Awareness
Clear roles and responsibilities must be assigned and understood by all staff to minimise risk of information misuse. Staff need to be appropriately equipped to carry out their responsibilities. - Incident Management
Information security incidents and events must be managed through an up-to-date structured approach. - Business Continuity Management
Agencies must implement a structured approach to business continuity management based on an information security risk assessment.
Western Australia
The Western Australian Digital Security Policy provides direction for public sector agencies to manage digital security risks. It ensures confidentiality, integrity and availability of digital information.
Updated in June 2017, the policy is applicable for whole-of-government and public sector agencies.
The policy contains 4 key requirements:
- Implement an Information Security Management System
Agencies must implement an information security management system that is aligned to its broader risk management plan. - Governance and Accountability
Clear roles and responsibilities need to be defined and implemented in line with the agencies risk and ICT governance frameworks to ensure consistency and support from executive leaders. - Assess and Treat Security Risks
A process must be defined that identifies and assesses digital security risks within the agency’s risk appetite. - Continuous Improvement
Agencies need to support a continuous improvement of digital risk processes. Processes should be routinely monitored, reviewed and tested, ensuring that employee skills and capabilities are simultaneously improved.