DCS-2021-02 NSW Cyber Security Policy
Ongoing implementation of mandatory cyber security requirements for all NSW Government departments and public service agencies to ensure an integrated approach to preventing and responding to cyber security threats.
Issued: by Secretary, Department of Customer Service
Key information
- Status
- Active
- Type
- Department of Customer Service Circular
- Identifier
- DCS-2021-02
- Compliance
- Mandatory
- Updated
Who needs to know and/or comply with this?
- Departments
- Executive agencies related to Departments
- Separate agencies
- Statutory Authorities/Bodies
About
Ongoing implementation of mandatory cyber security requirements for all NSW Government departments and public service agencies to ensure an integrated approach to preventing and responding to cyber security threats.
The NSW Cyber Security Policy sets mandatory baseline cyber security requirements for NSW Government departments and public service agencies.
The Policy has been revised to improve clarity, structure and usability, including by bringing Mandatory Requirements forward, clarifying roles and responsibilities and strengthening reporting and assurance arrangements.
These updates are administrative and structural in nature and do not introduce new policy requirements, controls or agency deliverables.
All NSW Government departments and public service agencies (as defined in Schedule 1 of the Government Sector Employment Act 2013) must comply with the NSW Cyber Security Policy, including statutory authorities and all agencies reporting to a Minister, the Premier or a Secretary.
By 30 June each year, portfolio Chief Information Security Officers (CISOs) must provide Cyber Security NSW with an updated list of all agencies in their portfolio, with confirmation of whether they will be providing their reporting to the CISO or directly to Cyber Security NSW, as per Section 6.1 of the NSW Cyber Security Policy.
All NSW Government departments and public service agencies must report the following to Cyber Security NSW by 31 October each year, in a format provided by Cyber Security NSW:
- an assurance assessment against all Mandatory Requirements in the NSW Cyber Security Policy for the previous financial year to support policy reporting and agency head attestation
- a list of all high and extreme residual cyber security risks (or “not applicable” where none exist), in the prescribed format
- an assessment against whole-of-government cyber security risks in the prescribed format, in accordance with Cyber Security NSW guidance
- a Crown Jewel asset inventory (Mandatory Requirement 1.7) in the prescribed format
- an agency head attestation on cyber security, including compliance with the NSW Cyber Security Policy
All NSW Government departments and public service agencies must compile and retain, in accessible form, evidence that demonstrates the basis of their assurance assessment against the Mandatory Requirements.
Note: while the NSW Cyber Security Policy applies across the entire agency and sets out minimum requirements for agencies, not all requirements can be uniformly implemented across the defined scope. For the scope of the Mandatory Requirements, agencies should ensure any use of exceptions for a system are documented, approved by an appropriate authority through a formal process and retained in accessible form.
Exemptions and extensions to reporting will only be considered in exceptional circumstances. A formal exemption is not required where a Mandatory Requirement is not applicable, provided the agency records and justifies that position.
To seek an exemption or extension, agencies must contact their portfolio CISO in the first instance. Portfolio CISOs will coordinate valid requests with Cyber Security NSW. Independent agencies may raise requests directly with Cyber Security NSW and should notify their portfolio CISO.
The Policy outlines information sharing of agency’s results from their NSW Cyber Security Policy Report to nominated entities to support coordinated cyber security outcomes and reduce duplication of data collection. Sharing must be authorised by the relevant agency and governed through formal agreements (e.g. Memoranda of Understanding) and established coordination mechanisms, including the NSW Government Cyber Security Steering Group.
The NSW Cyber Security Policy and its requirements must be adopted from the date this Circular is released.
Cyber Security NSW provides guidance and support to assist agencies in implementing the NSW Cyber Security Policy.