NSW Cybersecurity Policy

Article summary: NSW’s Cyber Security Policy is part of NSW’s commitment to securing its digital assets and protecting its citizens. The policy covers the reporting process, mandatory requirements and the Essential Eight.

On this page:

Date:
21 February 2022
Author:
Shona Barton

NSW’s Cyber Security Policy

NSW’s Cyber Security PolicyExternal Link was updated in January 2022. The policy covers the reporting process, mandatory requirements and the Essential Eight. The policy also works with the broader NSW Cyber Security StrategyExternal Link .

Reporting process

Cyber security is managed by Cyber Security NSW.

Agencies must prepare an annual report that includes:

  • Maturity reporting — This is an agency’s current maturity against the mandatory requirements and the Essential Eight, and target maturity levels for the coming year.

  • Crown jewels and risk reporting — Agencies must list the most valuable or operationally vital systems or information in their organisation, and identify any extreme or high risks.

  • Attestation — This document must be added to agency annual reports, and submitted to the cluster Chief Information Security Officer (CISO). Requirements include that the agency has assessed its cyber security risks, has an incident response plan, and has a plan for continuous improvement.

Cluster CISOs coordinate reporting across their cluster. Agencies must compile and retain reports that are accurate and verifiable.

Mandatory requirements

The mandatory requirements state that agencies must:

  1. Implement cyber security planning and governance

  2. Build and support a cyber security culture across their agency and NSW Government

  3. Manage cyber security risks to safeguard and secure information and systems

  4. Improve resilience including the ability to rapidly detect and respond to cyber incidents

These requirements are displayed in a handy visual that outlines activities under categories of:

Lead > Prepare > Prevent > Detect > Respond > Recover

The Essential Eight

The Essential EightExternal Link are eight actions that all Australian organisations should take to protect themselves from cyber threats. They were released by the Australian Cyber Security Centre (ACSC)External Link in 2017 as part of that agency’s mandate to protect Australia from cyber threats.

The Essential Eight include directives like:

  • Application control — Allow only applications that have been approved and block all others

  • Restrict administrative privileges — Limit the number of accounts with administrative privileges

  • Patch operating systems — Update operating systems promptly when security issues are identified

  • Use multifactor authentication — Implement authentication methods to supplement passwords, such as verification codes or fingerprint scans.

For more information view our Insight, The Essential Eight.

Salsa Digital’s take

Cyber security is essential to maintain confidentiality and trust between citizens and governments through the secure protection of information, technology and IT infrastructure.

Salsa not only delivers technology and innovation to help governments better engage with citizens, we also understand and construct robust systems that safeguard data from cyber threats and breaches.