The Quick Guide to Australian Cyber Security Policies

Many State governments have recently undergone a change in policies surrounding cybersecurity as a result of increasing cybercrimes.

Published in January 2020, the Australian Government Information Security Manual outlines a risk-based framework that organisations can apply to protect their systems and information from cyber risks. Its principles have been grouped into four key activities:

• Govern: Identify and manage security risks
• Protect: implement controls to reduce security risks
• Detect: detect and understand incidents and events
• Respond: Respond and recover from incidents

The manual is not a mandatory requirement and does not override legislative or legal obligations.

To help government departments and public service agencies understand their state requirements, a summary has been provided.

New South Wales

Effective from February 2019, the NSW Cyber Security Policy replaces the NSW Digital Information Security Policy 2015.

The policy aims to protect systems from a compromise of confidentiality, integrity, and availability of data, by strengthening cyber security governance and controls, identifying operationally vital systems, developing a cyber security culture and implementing an all-of-government approach to cyber incident response.

Mandatory for all NSW Government Departments and Public Service Agencies, the policy covers information and communication technology (ICT) systems and industrial automation and control systems (IACS) that handle government or citizen data or provide government services.

The policy contains five key requirements:

1. Planning and Governance
   Centered around leadership’s commitment, government departments and public service agencies must provide adequate support throughout the management framework and cybersecurity plan.
2. Cyber Security Culture
   Adequate staff awareness of cybersecurity risks, regular training, proper screening is needed to foster a cybersecurity culture.
3. Manage Cyber Security Risks
   Agencies must implement an information security management system (ISMS) or cybersecurity management system (CSMS) compliant to recognized standards such as ISO/IEC 27001 or ISA/IEC62443 (for IACS). Implement and report against the ACSC Essential 8
4. Resilience
   As cyber risks evolve, organisational resilience must evolve too. An up-to-date cyber incident response plan must be maintained and tested at least annually. Any cyber incidents must be reported according to the NSW Cyber Security Response Plan.
5. Report Against the Requirements
   All requirements must be reported annually by August 31 to Cyber Security NSW and their Agency Head of compliance.

Queensland

Effective from October 2018, the Queensland Government Information Security Policy (IS18:2018) seeks to ensure all departments apply a risk-based approach to information security, maintaining confidentiality, integrity, and availability.

Applicable for all Queensland Government departments, the policy aims to enable an appropriate response to the changing environment by aligning to international best practice approaches. Public Services must also reference the policy in the context of internal controls, financial information management systems and risk management.

The policy contains five key requirements:

1. Departments must implement an ISMS based on ISO 27001
   Aligning to international best practices, departments must implement, operate and maintain an ISMS based on the current version of ISO 27001.
2. Departments must apply a systematic and repeatable approach to risk management
   A risk management framework must be integrated into the core corporate risk management processes.
3. Departments must meet minimum security requirements
   ​Compliance must be met with the: 
   • Queensland Government Information Security Classification Framework (QGISCF)
   • Data encryption standard
   • Queensland Government Authentication Framework (QGAF)
   • Australian Signals Directorate (ASD) “Essential Eight” Strategies
4. Departments accountable officers must obtain security assurance for systems
   Accountable officers must apply security assurance to systems based on the criticality and significance of the system.
5. Accountable officers must attest to the appropriateness of departmental information security
   Departmental accountable officers must provide evidence of the performance of the management system. This must be publicly accessible, through the website or annual report.

Victoria

On October 28, 2019, The Victorian Protective Data Security Standards were revoked in accordance with sections 86 and 87 of the Privacy and Data Protection Act 2014. This has led to the development of the Victorian Protective Data Security Standards V2.0.

V2.0 will be updated in early 2020.

For more information, visit the Victorian Protective Data Security Standards V2.0 website.

South Australia

Effective from December 2019, the South Australian Cyber Security Framework (SACSF) replaces the Information Security Management Framework (ISMF).

Mandatory for all South Australian Government public sector agencies, suppliers and service providers to government agencies, Agencies will have until December 2020 to be compliant to the framework.

The framework adopts a risk-based approach to cybersecurity management to ensure cybersecurity risks are managed in an acceptable manner.

The framework contains 21 policy statements that grouped into four principles: 

1. Principle One: Governance
   Senior leadership must be held accountable for the implementation and success of the management system, ensuring clear roles and responsibilities are put in place to effectively manage cyber security risks.
2. Principle Two: Information
   Maintain the confidentiality, integrity, and availability of information and systems through current incident response plans, supporting business resilience plans and controlled access to information.
3. Principle Three: Personnel
   Ensure employees and contractors are the right people for the job. This can be achieved through screening, continual education, and awareness of cyber risks.
4. Principle Four: Physical
   Provide a safe and secure location for people, information and assets.

Tasmania

Effective from April 2011, the Tasmanian Government Information Security Framework applies a risk management approach for all agencies to implement.

The Information Security Policy Manual serves as the primary document that outlines the high-level requirements. The policy is based upon the availability, integrity, confidentiality, and proportionality of information.

The policy contains 7 key requirements:

1. Information Security Governance and Management
   The Agency should implement an information security management system (ISMS) using the ISO 27001 framework. A committee of senior management and leaders must be formed to implement and maintain the management system.
2. Risk Management
   Regular information security risk assessments should be conducted to ensure an appropriate risk management strategy is implemented.
3. Resource Management
   Appropriate resource management must be implemented to protect business activity records, control physical access to information and control the use of ICT.
4. Identify and Access Management
   Agencies must protect information by ensuring only those authorised can access information assets. Authorised personnel must be screened, prior to access, using the Tasmanian Government Identity and Access Management Toolkit.
5. Personnel and Awareness
   Clear roles and responsibilities must be assigned and understood by all staff to minimise the risk of information misuse. Staff need to be appropriately equipped to carry out their responsibilities.
6. Incident Management
   Information security incidents and events must be managed through an up-to-date structured approach.
7. Business Continuity Management
   Agencies must implement a structured approach to business continuity management based on an information security risk assessment.

Western Australia

The Western Australian Digital Security Policy provides direction for public sector agencies to manage digital security risks. It ensures confidentiality, integrity and availability of digital information.

Updated in June 2017, the policy is applicable for whole-of-government and public sector agencies.

The policy contains 4 key requirements:

1. Implement an Information Security Management System
   Agencies must implement an information security management system that is aligned to its broader risk management plan.
2. Governance and Accountability
   Clear roles and responsibilities need to be defined and implemented in line with the agencies risk and ICT governance frameworks to ensure consistency and support from executive leaders.
3. Assess and Treat Security Risks
   A process must be defined that identifies and assesses digital security risks within the agency’s risk appetite.
4. Continuous Improvement
   Agencies need to support a continuous improvement of digital risk processes. Processes should be routinely monitored, reviewed and tested, ensuring that employee skills and capabilities are simultaneously improved.

---

This article published by SAI Global

Contact Us Today

Please use the form to the right and one of our Information Security Consultants will contact you within one business day. Alternatively, you are welcome to contact us directly by emailing [email protected] or by calling:

• Brisbane ISO Consultants 07 3667 8280
• Sydney ISO Consultants 02 8315 7780
• Melbourne ISO Consultants 03 9034 3990

We look forward to hearing from you and answering any questions you may have.