Customer Service RGB

Department of Customer Service

Type:
Department of Customer Service Circular
Identifier:
DCS-2020-05
Status:
Active

DCS-2020-05 Cyber Security NSW directive – Practice Requirements for NSW Government

Description

This Circular mandates cyber security responsibilities for all employees. It also includes specific responsibilities for executives as well as agencies and departments as a whole. In addition, the Circular mandates compulsory annual cyber security training for all NSW public servants (including contractors).

Detailed Outline

Overview

To provide a world class service to the people, communities and businesses of New South Wales (NSW), the user experience and digital services must be world class, but so too must the cyber security capabilities that support these services.

The cyber security threat landscape is evolving, with cyber security attacks like “phishing” and “ransomware” becoming more common as well as more dangerous and damaging. In addition, cyber criminals and sophisticated state-backed actors are consistently and increasingly seeking to compromise government data and systems. Maintaining trust in the services provided by the NSW Government requires clusters and agencies to take appropriate actions to protect government data and systems, including continuously improving their cyber security capability and practices. Every NSW Government employee and contractor has a critical role to play to help fulfil this obligation.

Supporting this, the mandatory requirements in the NSW Cyber Security Policy (the Policy) will be further strengthened in 2021. Clusters and agencies will be subject to audits by Cyber Security NSW commencing in 2020-21 to test compliance with the Policy and reporting these outcomes to the Secretaries Board.

Cyber Security is everyone’s responsibility. Staff (employees, contractors and managed service providers), Government organisations and their leadership must adhere to the following cyber security practices.

Requirement for Mandatory Cyber Security Training

This Circular mandates compulsory annual cyber security training for all NSW public servants (including contractors). This requirement clarifies and builds-on the expectations of Mandatory Requirement 2.1 of the Policy and will be reflected in the Policy Mandatory 25 in the 2021 version of the Policy. Agencies and departments are responsible for ensuring the delivery of training and compliance.

Where agencies do not have existing training, Cyber Security NSW will assist through the enhanced training support it provides for staff in NSW Government that can be delivered either live or via eLearning. There are three levels of training:

  1. Essentials training – for staff and contractors which provides basic cyber hygiene and cyber security awareness of common threats and mitigation techniques

  2. Essential plus – for privileged users which focusses on staff with elevated risk due to their access to financial systems, administrative privileges and executive support

  3. Essential premium – for executives with an additional focus on risk management in the context of cyber.

Mandatory Requirement 2.1 of the Policy requires that Reporting entities are monitoring adherence of outsourced ICT service providers in implementing the cyber security requirements of their contracts., the increased threat from and impact of cyber security incidents makes compulsory training a necessity.

Cyber Hygiene Requirements

Cyber security is everyone’s responsibility – as such, the following cyber security hygiene practices must be followed by all NSW public servants (including contractors) in order to help protect NSW Government data and systems.

All staff (including contractors) in NSW Government agencies and departments must:

  • Avoid reusing passwords across different accounts

  • Use multifactor authentication where available

  • Avoid common password/passphrase words, sayings & patterns (e.g. ‘Password1234’ or ‘LetMeIn’)

  • Consider using passphrases and/or a reputable password manager where supported

  • Never share passwords with other people

  • Avoid using work email accounts and passwords for accounts on non-work-related sites

  • Lock computers and devices when leaving them unattended

  • Be aware of, and report suspicious emails, SMS and phone calls to the point of contact for incident reporting in their agency (this may be an agency Security Team or IT Helpdesk)

  • Never use public Wi-Fi, particularly for work-related activities

  • Only use USBs and external hard drives where the source is known, trusted and the control of the USB and external hard drive can be guaranteed. Never plug in devices from unknown sources including USBs or external hard drives given as gifts or found lying around

  • Follow agency policies for updating devices and backing up files

  • Cover laptop webcams and unplug desktop webcams when not in use

  • Report violations of cyber security policies, cyber security incidents and suspicious activity to your agency’s cyber security team immediately

  • Use and preserve assets’ security by adhering to agency, cluster and NSW Government cyber security policies

  • Only use information and information resources for responsible and authorised purposes.

Agency/Department Executive Must:

  • Assign overall responsibility for information asset protection and ownership

  • Approve policies as appropriate

  • Ensure their agency/department develops, implements and maintains an effective information and cyber security plan

  • Determine their agency/department’s tolerance for security

  • Appropriately resource and support their agency/department’s cyber security initiatives including training and awareness and continual improvement initiatives to support this Circular

  • Ensure that staff are aware of and adequately comply with agency/department policies and the NSW Government Cyber Security Policy

  • Ensure that all NSW Government staff (including contractors) understand the cyber security requirements of their roles

  • Ensure a secure-by-design approach for new initiatives and upgrades to existing systems to ensure compliance with the organisations cyber risk tolerance

  • Ensure all their staff and providers understand their role in building and maintaining secure systems

  • Ensure that the Secretary of the cluster (or Responsible Minister where applicable) and Information Asset Owners are informed of any significant information security issues and the status of the agency/department’s information security

  • Build cyber incident response capability that links to their agency/department’s incident management and whole-of-government cyber response plan

  • The agency/department Chief Information Security Officer (CISO) (or equivalent) must review and provide endorsement on the appropriateness of any security artefacts produced by the entity. This can include but is not limited to; security objectives and information security policies, standards, processes, procedures, baselines and guidelines

  • Ensure compliance with government and regulatory information security-related requirements

  • Ensure that the risk framework is applied in assessing cyber security risks and assist with setting of risk appetite.

Agencies and Departments Must:

  • Identify what cyber security awareness training content is to be included in mandatory baseline requirements. This training content must be appropriate to the current risk level and threat environment and updated as required. This training must be completed by all NSW Government staff (including contractors) upon joining the organisation as well as be refreshed annually.

  • Have additional cyber security awareness training for users in high risk roles (executive officers and assistants, system administrators and users with access to privileged systems)

  • Ensure advisories and alerts issued by Cyber Security NSW and/or clusters are actioned including being communicated to impacted staff

  • Define and document service level agreements (SLAs) for time to patch vulnerabilities appropriate to the level of risk of these vulnerabilities, noting these SLAs should be audited to assess suitability

  • Agencies/departments unable to patch to these timeframes they have defined must document and manage the risks of not patching through their risk management framework

  • Agencies/departments must track and report their vulnerability management status in the appropriate governance forums and/ or to the appropriate decision-makers (Cluster committees, Secretaries Board and/or the Responsible Minister). These reports must also be provided to Cyber Security NSW. Reporting must include information related to vulnerability criticality and time since disclosure

  • Agencies/departments must use Multi Factor Authentication for remote access to systems where possible with reference to the ACSC Essential Eight strategy for Multi Factor Authentication. Where Multi Factor Authentication is not possible, this must be documented in the entity’s cyber security risk register

  • Have an incident response plan and test the plan annually at a minimum.

As noted, these requirements will be incorporated and/or mapped to the 2021 version of the NSW Cyber Security Policy, and all subsequent versions of the Policy, with maturity levels subject to audit by Cyber Security NSW.

Further Queries

Staff with queries should contact their agency/department security team (or equivalent point-of-contact) in the first instance to clarify the directives in this Circular.

Agencies with queries should contact their Cluster CISOs.

Queries about delivery of cyber security training, including access to the Essentials series, should be directed to Cyber Security NSW at cybercomprac@customerservice.nsw.gov.au.

Overview

Who needs to know and/or comply with this?

Advisory Entities (including Boards and Committees)
Departments
Executive agencies related to Departments
Separate agencies
Statutory Authorities/Bodies

AR Details

Date Issued
Oct 16, 2020
Review Date
Oct 16, 2021
Replaces
Replaced By

Contacts

Contact
cybercomprac@customerservice.nsw.gov.au
Phone
13 77 88
Publishing Entity
Department of Customer Service
Issuing Entity
Department of Customer Service