This Circular mandates cyber security responsibilities for all employees. It also includes specific responsibilities for executives as well as agencies and departments as a whole. In addition, the Circular mandates compulsory annual cyber security training for all NSW public servants (including contractors).
To provide a world class service to the people, communities and businesses of New South Wales (NSW), the user experience and digital services must be world class, but so too must the cyber security capabilities that support these services.
The cyber security threat landscape is evolving, with cyber security attacks like “phishing” and “ransomware” becoming more common as well as more dangerous and damaging. In addition, cyber criminals and sophisticated state-backed actors are consistently and increasingly seeking to compromise government data and systems. Maintaining trust in the services provided by the NSW Government requires clusters and agencies to take appropriate actions to protect government data and systems, including continuously improving their cyber security capability and practices. Every NSW Government employee and contractor has a critical role to play to help fulfil this obligation.
Supporting this, the mandatory requirements in the NSW Cyber Security Policy (the Policy) will be further strengthened in 2021. Clusters and agencies will be subject to audits by Cyber Security NSW commencing in 2020-21 to test compliance with the Policy and reporting these outcomes to the Secretaries Board.
Cyber Security is everyone’s responsibility. Staff (employees, contractors and managed service providers), Government organisations and their leadership must adhere to the following cyber security practices.
Requirement for Mandatory Cyber Security Training
This Circular mandates compulsory annual cyber security training for all NSW public servants (including contractors). This requirement clarifies and builds-on the expectations of Mandatory Requirement 2.1 of the Policy and will be reflected in the Policy Mandatory 25 in the 2021 version of the Policy. Agencies and departments are responsible for ensuring the delivery of training and compliance.
Where agencies do not have existing training, Cyber Security NSW will assist through the enhanced training support it provides for staff in NSW Government that can be delivered either live or via eLearning. There are three levels of training:
Essentials training – for staff and contractors which provides basic cyber hygiene and cyber security awareness of common threats and mitigation techniques
Essential plus – for privileged users which focusses on staff with elevated risk due to their access to financial systems, administrative privileges and executive support
Essential premium – for executives with an additional focus on risk management in the context of cyber.
Mandatory Requirement 2.1 of the Policy requires that Reporting entities are monitoring adherence of outsourced ICT service providers in implementing the cyber security requirements of their contracts., the increased threat from and impact of cyber security incidents makes compulsory training a necessity.
Cyber Hygiene Requirements
Cyber security is everyone’s responsibility – as such, the following cyber security hygiene practices must be followed by all NSW public servants (including contractors) in order to help protect NSW Government data and systems.
All staff (including contractors) in NSW Government agencies and departments must:
Avoid reusing passwords across different accounts
Use multifactor authentication where available
Avoid common password/passphrase words, sayings & patterns (e.g. ‘Password1234’ or ‘LetMeIn’)
Consider using passphrases and/or a reputable password manager where supported
Never share passwords with other people
Avoid using work email accounts and passwords for accounts on non-work-related sites
Lock computers and devices when leaving them unattended
Be aware of, and report suspicious emails, SMS and phone calls to the point of contact for incident reporting in their agency (this may be an agency Security Team or IT Helpdesk)
Never use public Wi-Fi, particularly for work-related activities
Only use USBs and external hard drives where the source is known, trusted and the control of the USB and external hard drive can be guaranteed. Never plug in devices from unknown sources including USBs or external hard drives given as gifts or found lying around
Follow agency policies for updating devices and backing up files
Cover laptop webcams and unplug desktop webcams when not in use
Report violations of cyber security policies, cyber security incidents and suspicious activity to your agency’s cyber security team immediately
Use and preserve assets’ security by adhering to agency, cluster and NSW Government cyber security policies
Only use information and information resources for responsible and authorised purposes.
Agency/Department Executive Must:
Assign overall responsibility for information asset protection and ownership
Approve policies as appropriate
Ensure their agency/department develops, implements and maintains an effective information and cyber security plan
Determine their agency/department’s tolerance for security
Appropriately resource and support their agency/department’s cyber security initiatives including training and awareness and continual improvement initiatives to support this Circular
Ensure that staff are aware of and adequately comply with agency/department policies and the NSW Government Cyber Security Policy
Ensure that all NSW Government staff (including contractors) understand the cyber security requirements of their roles
Ensure a secure-by-design approach for new initiatives and upgrades to existing systems to ensure compliance with the organisations cyber risk tolerance
Ensure all their staff and providers understand their role in building and maintaining secure systems
Ensure that the Secretary of the cluster (or Responsible Minister where applicable) and Information Asset Owners are informed of any significant information security issues and the status of the agency/department’s information security
Build cyber incident response capability that links to their agency/department’s incident management and whole-of-government cyber response plan
The agency/department Chief Information Security Officer (CISO) (or equivalent) must review and provide endorsement on the appropriateness of any security artefacts produced by the entity. This can include but is not limited to; security objectives and information security policies, standards, processes, procedures, baselines and guidelines
Ensure compliance with government and regulatory information security-related requirements
Ensure that the risk framework is applied in assessing cyber security risks and assist with setting of risk appetite.
Agencies and Departments Must:
Identify what cyber security awareness training content is to be included in mandatory baseline requirements. This training content must be appropriate to the current risk level and threat environment and updated as required. This training must be completed by all NSW Government staff (including contractors) upon joining the organisation as well as be refreshed annually.
Have additional cyber security awareness training for users in high risk roles (executive officers and assistants, system administrators and users with access to privileged systems)
Ensure advisories and alerts issued by Cyber Security NSW and/or clusters are actioned including being communicated to impacted staff
Define and document service level agreements (SLAs) for time to patch vulnerabilities appropriate to the level of risk of these vulnerabilities, noting these SLAs should be audited to assess suitability
Agencies/departments unable to patch to these timeframes they have defined must document and manage the risks of not patching through their risk management framework
Agencies/departments must track and report their vulnerability management status in the appropriate governance forums and/ or to the appropriate decision-makers (Cluster committees, Secretaries Board and/or the Responsible Minister). These reports must also be provided to Cyber Security NSW. Reporting must include information related to vulnerability criticality and time since disclosure
Agencies/departments must use Multi Factor Authentication for remote access to systems where possible with reference to the ACSC Essential Eight strategy for Multi Factor Authentication. Where Multi Factor Authentication is not possible, this must be documented in the entity’s cyber security risk register
Have an incident response plan and test the plan annually at a minimum.
As noted, these requirements will be incorporated and/or mapped to the 2021 version of the NSW Cyber Security Policy, and all subsequent versions of the Policy, with maturity levels subject to audit by Cyber Security NSW.
Staff with queries should contact their agency/department security team (or equivalent point-of-contact) in the first instance to clarify the directives in this Circular.
Agencies with queries should contact their Cluster CISOs.
Queries about delivery of cyber security training, including access to the Essentials series, should be directed to Cyber Security NSW at firstname.lastname@example.org.
Who needs to know and/or comply with this?
- Advisory Entities (including Boards and Committees)
- Executive agencies related to Departments
- Separate agencies
- Statutory Authorities/Bodies
- Date Issued
- Oct 16, 2020
- Review Date
- Oct 16, 2021
- Replaced By
- 13 77 88
- Publishing Entity
- Department of Customer Service
- Issuing Entity
- Department of Customer Service