Overview

To provide a world class service to the people, communities and businesses of New South Wales (NSW), the user experience and digital services must be world class, but so too must the cyber security capabilities that support these services.

The cyber security threat landscape is evolving, with cyber security attacks like “phishing” and “ransomware” becoming more common, dangerous and damaging. In addition, cyber criminals and sophisticated state-backed actors are increasingly seeking to compromise government data and systems. Maintaining trust in the services provided by the NSW Government requires portfolios and agencies to take appropriate actions to protect government data and systems, including continuously improving their cyber security capability and practices. Every NSW Government employee and contractor has a critical role to play to help fulfil this obligation.

While this Circular only applies to NSW Government departments and agencies, NSW Local Government and State-Owned Corporations are strongly encouraged to voluntarily comply.

Cyber Security is everyone’s responsibility. Staff (employees, contractors and managed service providers), Government organisations and their leadership must adhere to the following cyber security practices.

Requirement for Mandatory Cyber Security Training

This Circular mandates compulsory annual cyber security training for all NSW public servants (including contractors). This requirement clarifies and builds-on the expectations of Mandatory Requirement 2.1 of the NSW Cyber Security Policy 2021-2022. Agencies and departments are responsible for ensuring the delivery of training and compliance.

Where agencies do not have existing training, Cyber Security NSW will assist through the enhanced training support it provides for staff in NSW Government, that can be delivered either live or via eLearning. There are three levels of training:

1. Essentials training – for staff and contractors which provides basic cyber hygiene and cyber security awareness of common threats and mitigation techniques.

2. Essentials plus – for privileged users which focuses on staff with elevated risk due to their access to financial systems and administrative privileges.

3. Essentials premium – for executives with an additional focus on risk management in the context of cyber.

Mandatory Requirement 2.1 of the NSW Cyber Security Policy 2021-2022 requires reporting entities to monitor the adherence of outsourced third-party service providers when implementing the cyber security requirements of their contracts. The increased threat from and impact of cyber security incidents makes compulsory training a necessity.

Cyber Hygiene Requirements

Cyber security is everyone’s responsibility – as such, the following cyber security hygiene practices must be followed by all NSW public servants (including contractors) in order to help protect NSW Government data and systems.

All staff (including contractors) in NSW Government agencies and departments must:

• Avoid reusing passwords across different accounts

• Use multi-factor authentication where available

• Avoid common passwords and patterns (e.g. ‘Password1234’ or ‘Admin’)

• Consider using passphrases (e,g. Clay*OnionPretzelSky24) and/or a reputable password manager where supported

• Never share passwords with other people

• Never use work email accounts and passwords for accounts on non-work-related sites

• Lock computer screens and secure devices when leaving them unattended

• Be aware of, and report suspicious emails, SMS and phone calls to the point of contact for incident reporting in their agency (this may be an agency Security Team or IT Helpdesk)

• Always hover over URLs before clicking and do not click on suspicious links

• Never use public Wi-Fi, particularly for work-related activities

• Avoid using USBs and external hard drives unless the source is known, trusted and the control of the USB and external hard drive can be guaranteed. Never plug in devices from unknown sources including USBs or external hard drives given as gifts or found lying around

• Follow agency policies for updating devices and backing up files

• Cover laptop webcams and unplug desktop webcams when not in use

• Report violations of cyber security policies, cyber security incidents and suspicious activity to your agency’s cyber security team immediately

• Use and preserve assets’ security by adhering to agency, portfolio and NSW Government cyber security policies

• Only use information and information resources for responsible and authorised purposes

• Ensure that arrangements for staff working from overseas locations are aligned with DCS Circular 2022-03 – Accessing NSW Government digital systems while overseas[1].

  ---

  [1] https://arp.nsw.gov.au/dcs-2022-03-accessing-nsw-government-digital-systems-while-overseas/

Agency/Department Executive Must:

• Assign overall responsibility for information asset protection and ownership

• Approve policies as appropriate

• Ensure their agency/department develops, implements and maintains an effective information and cyber security plan

• Determine their agency/department’s tolerance for managing cyber security risk

• Appropriately resource and support their agency/department’s cyber security initiatives including training and awareness and continual improvement initiatives to support this Circular

• Ensure that staff are aware of and adequately comply with agency/department policies and the NSW Cyber Security Policy

• Ensure that all NSW Government staff (including contractors) understand the cyber security requirements of their roles

• Ensure a secure-by-design approach for new initiatives and upgrades to existing systems to ensure compliance with the organisations cyber risk tolerance

• Ensure all their staff and providers understand their role in building and maintaining secure systems

• Ensure that the Secretary of the portfolio (or Responsible Minister where applicable) and Information Asset Owners are informed of any significant information security issues and the status of the agency/department’s information security

• Build cyber incident response capability that links to their agency/department’s incident management and whole-of-government cyber response plan

• The agency/department Chief Information Security Officer (CISO) (or equivalent) must review and provide endorsement on the appropriateness of any security artefacts produced by the entity. This can include but is not limited to; security objectives and information security policies, standards, processes, procedures, baselines and guidelines

• Ensure compliance with government and regulatory information security-related requirements

• Ensure that the risk framework is applied in assessing cyber security risks and assist with setting of risk appetite.

Agencies and Departments Must:

• Identify what cyber security awareness training content is to be included in mandatory baseline requirements. This training content must be appropriate to the current risk level and threat environment and updated as required. This training must be completed by all NSW Government staff (including contractors) upon joining the organisation as well as be refreshed annually.

• Have additional cyber security awareness training for users in high-risk roles (executive officers and assistants, system administrators and users with access to privileged systems)

• Ensure advisories and alerts issued by Cyber Security NSW and/or portfolios are actioned including being communicated to impacted staff

• Define and document service level agreements (SLAs) for time to patch vulnerabilities appropriate to the level of risk of these vulnerabilities, noting these SLAs should be audited to assess suitability

• Agencies/departments unable to patch to these defined timeframes must document and manage the risks of not patching through their risk management framework

• Agencies/departments must track and report their vulnerability management status in the appropriate governance forums and/or to the appropriate decision-makers (Portfolio committees, Secretaries Board and/or the Responsible Minister). These reports must also be provided to Cyber Security NSW. Reporting must include information related to vulnerability criticality and time since disclosure

• Agencies/departments must use multi-factor authentication for remote access to systems where possible with reference to the ACSC Essential Eight strategy for multi-factor authentication. Where multi-factor authentication is not possible, this must be documented in the entity’s cyber security risk register

• Have an incident response plan and test the plan annually at a minimum.

Further Queries

Staff with queries should contact their agency/department security team (or equivalent point-of-contact) in the first instance to clarify the directives in this Circular.

Agencies with queries should contact their Portfolio CISOs.

Queries about delivery of cyber security training, including access to the Essentials series, should be directed to Cyber Security NSW at [email protected].