On 1 February 2019, the Digital Information Security Policy was replaced by the NSW Cyber Security Policy (the Policy).

All NSW government departments and public service agencies (Government Sector Employment Act 2013 Schedule 1 Public Service agencies) MUST comply with the Policy. This includes statutory authorities and all NSW government entities that submit an annual report to a Secretary of a lead department or cluster, or direct to a Minister, or direct to the Premier.

All NSW government departments and Public Service agencies must report to Cyber Security NSW by 31 August each year. Due to the pandemic conditions in 2020, clusters and agencies may request an extension. To seek an extension, a request must be sought no later than 30 June 2020 by emailing [email protected].

On 30 April each year, Cluster Chief Information Security Officers are to provide Cyber Security NSW with an updated list of all agencies in their cluster and whether they will be providing their reporting to the CISO or directly to Cyber Security NSW, as per Section 1.6 of the Policy.

The Policy is recommended for adoption in State Owned Corporations, as well as local councils and universities.

Mandatory requirements include:

• Identification of an agency’s most valuable or operationally vital systems or information (“crown jewels”) implementing regular cyber security education for all employees, contractors and outsourced ICT service providers

• Implementation and provision of a maturity assessment against the Australian Cyber Security Centre (ACSC) ‘Essential 8’ strategies to mitigate cyber security incidents

• Inclusion of requirements for industrial automation and control systems (IACS) / operational technology (OT) and the internet of things (IoT)

• Reporting cyber security incidents to the Government Chief Information Security Officer

The Policy includes a requirement for agencies to provide a cyber security attestation in their annual reports.

Exemptions to this policy will only be considered in exceptional circumstances. To seek an exemption, contact your cluster CISO in the first instance. If the exemption request is deemed valid by your cluster CISO they will contact Cyber Security NSW on your behalf.

The date of adoption for this Policy and its requirements is 1 February 2019, with reporting due on 31 August every year.

Cyber Security NSW is available for support and guidance regarding implementation of this Policy.