On 1 February 2019, the Digital Information Security Policy was replaced by the NSW Cyber Security Policy (the Policy) https://www.digital.nsw.gov.au/policy/cyber-security/cyber-security-policy.

All NSW government departments and public service agencies (Government Sector Employment Act 2013 Schedule 1 Public Service agencies) MUST comply with the Policy. This includes statutory authorities and all NSW government entities that submit an annual report to a Secretary of a lead department or cluster, or direct to a Minister, or direct to the Premier.

All NSW government departments and Public Service agencies must report to Cyber Security NSW by 31 October each year.

On 30 April each year, Cluster Chief Information Security Officers (CISOs) must provide Cyber Security NSW with an updated list of all agencies in their cluster and whether they will be providing their reporting to the CISO or directly to Cyber Security NSW, as per Section 2.1 of the Policy.

The Policy is recommended for adoption in State Owned Corporations, local governments and universities as a foundation of strong cyber security practice, in accordance with associated regulations and guidelines.

Policy requirements include:

• Identification of an agency’s most valuable or operationally vital systems or information (“crown jewels”) implementing regular cyber security education for all employees, contractors and outsourced ICT service providers.

• Implementation and provision of a maturity assessment against the Australian Cyber Security Centre (ACSC) ‘Essential Eight’ strategies to mitigate cyber security incidents.

• Inclusion of requirements for industrial automation and control systems (IACS) / operational technology (OT) and internet of things (IoT).

• Reporting cyber security incidents to Cyber Security NSW.

• Providing a cyber security attestation in annual reports.

Note: For the 2021/2022 reporting period, agencies must score themselves against the previous Essential Eight maturity model and the new Essential Eight maturity model (last updated 21 October 2021)

Several recommendations from the NSW Audit Office report “Compliance with the Cyber Security Policy” (2021) have been incorporated into this version of the Policy, with remaining recommendations incorporated in future iterations. Recommendations incorporated for the 2021/2022 Policy reporting period include:

• A requirement for reporting entities to identify target maturity levels.

• A requirement for agency heads to accept residual risk for low maturity.

• Implementation of the new ACSC Essential Eight.

• An update to attestation wording.

Exemptions to this policy will only be considered in exceptional circumstances. To seek an exemption, contact your cluster CISO in the first instance. If the exemption request is deemed valid by your cluster CISO they will contact Cyber Security NSW on your behalf.

The date of adoption for this Policy and its requirements is 1 April 2022 for the reporting period 1 July 2022 to 30 June 2023. Reporting is due on 31 October. The reporting deadline has been extended from the previous August deadline to allow agencies and departments the ability to assess against the new requirements.

Cyber Security NSW is available for support and guidance regarding implementation of this Policy.