Department of Finance, Services and Innovation
Category
Department of Finance, Services and Innovation Circular
Identifier
DFSI-2019-02
Status
Active

DFSI-2019-02-NSW Cyber Security Policy

Description:

Description

Introduction of mandatory cyber security requirements for NSW Public Service Agencies to ensure an integrated approach to preventing and responding to cyber security threats.

From 1 February 2019, the Digital Information Security Policy will be replaced by the NSW Cyber Security Policy.

All NSW Public Service Agencies must comply with the Policy and it is recommended for adoption in State Owned Corporations, as well as local councils and universities.

New mandatory requirements include:

  • identification of an Agency’s most valuable or operationally vital systems or information (“crown jewels”)
  • implementing regular cyber security education for all employees, contractors and outsourced ICT service providers
  • implementation and provision of a maturity assessment against the Australian Cyber Security Centre (ACSC) ‘Essential 8’ strategies to mitigate cyber security incidents
  • inclusion of requirements for industrial automation and control systems (IACS) / operational technology (OT) and the internet of things (IoT)
  • reporting cyber security incidents to the Government Chief Information Security Officer

The Policy includes a requirement for Agencies to provide a cyber security attestation in their annual reports.

Exemptions to any part of this Policy may be sought by Agency heads and sent to the Government Chief Information Security Officer for consideration, prior to Government Chief Information and Digital Officer approval.

The date of adoption for this Policy and its requirements is 1 February 2019, with reporting for the 2018/19 financial year due on 31 August 2019.

The NSW Government Chief Information Security Officer is available for support and guidance regarding implementation of this Policy.

Contact: cybersecurity@finance.nsw.gov.au

Link: https://www.digital.nsw.gov.au/cybersecuritypolicy