NEWS . IT & INFO RISK MANAGEMENT . JULY 2019

---

CYBER SECURITY

WILL YOU MAKE THE 31 AUGUST DEADLINE?

Many agencies are scurrying to fulfill their obligations under the NSW Cyber Security Policy (CSP) by the 31 August 2019 reporting deadline.

The NSW CSP replaced the NSW Digital Information Security Policy in February this year. It applies to all NSW Government Departments and Public Service Agencies (Government Sector Employment Act 2013 Schedule 1 Public Service agencies) and sets out 24 mandatory requirements including the need for an independent review of compliance.

By 31 August each year, you need to submit a report to your Agency head and GCISO, in a template provided by GCISO, covering the following:

• Assessment against all mandatory requirements in the CSP for the previous financial year, including a maturity assessment against the ACSC Essential 8;
• Cyber security risks with a residual rating of high or extreme; and
• A list of the agency’s “crown jewels”.

You also need to include an attestation in your annual report and provide a copy to GCISO.

Machinery of government changes: implications for CSP reporting obligations

As clusters are being restructured on 1 July 2019, the ownership of some IT systems and operational technology will change. In May 2019, the Secretaries Board agreed that attestation against the Cyber Security Policy will be done by departments and agencies within their respective post 1 July organisational arrangements. Cyber Security NSW has advised it is considering options for how to accommodate any anomalies this may create for cluster reporting and will update the Cyber Security Steering Group and Community of Practice on a regular basis.

Maintaining an operational Information Security Management System (ISMS) is a key requirement of the CSP. Centium has been helping agencies to adapt their existing ISMS to integrate into their (new) cluster’s existing ISMS. This can be a delicate exercise given that it’s important to not just spot gaps in the different ISMSes, but also to identify and remove overlaps that can give rise to unnecessary administrative effort and cost.

Centium has assisted agencies to review and unify disparate ISMSes into a cohesive and efficient singular management system. We have also been helping agencies to identify and assess their “crown jewels”, and conducting maturity assessments against the Essential 8, to help them prepare for their 31 August 2019 deadline.

Contact us to find out how Centium can help your agency or cluster to adapt and unify multiple ISMSes into an efficient and effective management system, and how you can meet your 31 August 2019 CSP deadlines.

---

APRA CPS 234

ARE YOU COMPLIANT?

APRA's Prudential Standard CPS 234 Information Security (CPS 234) came into effect on 1st July 2019. APRA has now released its Prudential Practice Guide (CPG), which sets out guidelines relating to board oversight, information security controls and notification of information security incidents in support of the CPS. 

All APRA-regulated entities, including ADIs, general insurers, life insurers, private health insurers, RSE licensees, and authorised or registered non-operating holding companies, must comply with the stringent information security requirements set out in CPS 234 from 1 July 2019.

Importantly, where an APRA-regulated entity is the head of a group, it must comply with the requirements of CPS 234 by ensuring the requirements are applied appropriately throughout the group, including in relation to entities which are not regulated by APRA.

The CPG is not binding. Nonetheless, it provides context about how APRA is likely to enforce the stringent obligations under CPS 234, particularly given its new 'constructively tough' approach to enforcement. The guidance also clarifies some of the steps that ADIs, insurers, superannuation licensees and other APRA-regulated entities should be taking now in relation to board oversight, information security controls and notification of information security incidents.

There's another catch: Although organisations that regularly manage data, software, systems or hardware for APRA-regulated entities (i.e. service providers) may not be directly caught by CPS 234, they are likely to be contractually bound to comply with certain CPS 234 obligations (in particular, those relating to the management or auditing of information security risks and those of sub-contractors) under agreements with APRA-regulated entities.

For many entities, identifying and implementing compliance uplifts will take some time. APRA has said that regulated entities should advise their APRA supervisor if they will not be able to fully comply with CPS 234 from 1 July 2019.

How Centium can help

CPS 234 can't be dealt with in isolation. Entities will need to take a holistic approach to information security and data governance, and also take into account their broader privacy, information security compliance, business continuity and governance obligations.

Centium is very well positioned to assist APRA regulated entities to meet their obligations under the CPS and CPG. The requirements are very similar to those set out in the NSW Government CSP, the VIC PDSF, ISO 27K and the Cth PSPF/ISM. We can bring three decades' worth of government security experience to the private sector. Remember that we were engaged by one of our competitors (RSM) to help them on their ISO 27K certification path given our good reputation within government.

To find out more, please contact our Director IT & Information Risk Management.

RECORDKEEPING

EFFICIENCY GAINS THROUGH GOOD RECORDKEEPING

Many public offices will be transferring functions to other agencies or merging into new clusters as a result of Machinery of Government (MoG) changes. If business activities or functions are being transferred, then records will also be transferred.

Agencies should ensure there are agreements or MOUs about what records are to be transferred, and a plan about how records are to be managed throughout the transition.

In the case of digital records, the transition may involve moving data from one system to another, or from one service provider to another.

Before migrating data, it is important to have undertaken an appropriate risk assessment as this will inform the migration planning and testing processes used. Centium can help agencies with their records management planning and testing processes as part of MoG changes to include:

• Correct identification of what records and information (including metadata) are to be migrated from one system/service environment to another
• Testing to ensure that all records and information (including metadata) have been successfully migrated to target system (new system/service environment)
• Rectification processes to be used if there are issues with quality or success of the migration
• Confirmation that the records and information (and metadata) that is needed for ongoing business, accountability and legal purposes, has been migrated
• Documented appropriate timeframes for the transferring public office (or service provider) to hold the source records after successful migration before deletion occurs. GA48 provides authorisation for the disposal of source records after specific conditions have been met. The rule of thumb is that source records must be kept for "an appropriate length of time" after the migration to "enable confirmation that the migration has been successful". Determination of the specific retention period must be based on your agency’s risk assessment.

To find out more about how Centium can assist you meet your records management obligations during a MoG change, please contact a Centium Practice Lead for an informal chat.

NEW DISPOSAL AUTHORITY FOR PATIENT RECORDS

WHAT YOU NEED TO DO

The revised General Retention & Disposal Authority (GDA) for Public Health Service Patient Records was issued on 30 May 2019. It applies to any organisation, facility or service which is part of the NSW public health system as well as NSW public offices who provide health care services to clients, such as NSW universities.

There have been some increases to retention periods around children's and mental health records, as well as records relating to sexual assault of minors. The indefinite retention of obstetric records has been removed although the records are required to be retained for 50 years after date of the birthing episode.

The amendments to GDA17 do not affect records that have already been destroyed or transferred as State archives. However, where minimum retention periods have changed and the records have been sentenced, local health districts will need to ensure that the correct disposal action has been applied to the records.

What our clients should do

Actions to take include:

• Update your internal policies, procedures and guidelines relating to retention periods and sentencing processes;
• Update your EDRMS (recordkeeping systems) to reflect the revised retention periods
• Train staff regarding the amended retention periods and what it means to them

To find out more about how Centium can help you improve your records management practices, please contact a Centium Practice Lead for an informal chat.

BUSINESS CONTINUITY

CAN YOU SLEEP AT NIGHT KNOWING THAT ALL WILL BE FINE?

Many NSW government agencies already have elements of business continuity plans and associated IT recovery plans. These form part of overall organisational resilience and good risk management.

But how confident are you that your plans are up to date and that the right people know what to do? When was the last time your plan was updated and tested? Will the Machinery of Government (MoG) changes affect your plans?

Centium has been assisting NSW government agencies to enhance and test their business continuity plans, IT recovery plans and overall emergency response plans for decades. We apply practical learnings and better practices from having worked with nearly all government agencies over time. Now is an ideal time to update your plans given the MoG changes.

Here are some ways in which we’ve worked with our state and local government clients in the recent past:

• Conducting a “fresh eyes” review of existing Business Continuity Plans, IT (Disaster) Recovery Plans, and Emergency Response Plans
• Refreshing your Business Impact Assessment (which should be reviewed and updated at least every year) to identify changes in your key business processes, critical ICT systems, vital records, Maximum Acceptable Outages, Recovery Point Objectives and continuity risks
• Updating and unifying Business Continuity Plans, IT (Disaster) Recovery Plans, and Emergency Response Plans in response to Machinery of Government changes
• Conducting exercises/tests of your Business Continuity Plans, IT (Disaster) Recovery Plans, and Emergency Response Plans
• Training your staff to make sure they understand their roles and obligations during a disruptive event or emergency
• Reviewing, updating and testing Cyber Security Incident Response Plans and Data Breach Response Plans

Contact us to find out more about how we can help your agency with its business continuity and resilience efforts, particularly in light of MoG changes.

PCI DSS

INTEGRATING PCI DSS WITH YOUR ISMS AND CSP OBLIGATIONS

Many state and local government agencies provide some form of online payment facility to the community or other parties. Agencies (whether merchants or service providers) that deal with cardholder data must comply with the Payment Card Industry Data Security Standard (PCI DSS). The DSS address 12 security requirements over six areas:

• Build and maintain a secure network
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information security policy

What you need to do to comply 

There are a couple of decision points to make to identify your precise compliance requirements. First, determine whether you are a Level 1, 2, 3 or 4. This depends on the number of real-world debit/credit card transactions per annum. This is important to get right as it determines the amount of assessment and security validation required to pass PCI DSS assessment.

The PCI DSS merchant levels are:

• Level 1: Merchants with over 6 million transactions a year, across all channels or any merchant that has had a data breach
• Level 2: Merchants with between 1 million and 6 million transactions annually, across all channels
• Level 3: Merchants with between 20,000 and 1 million online transactions annually.
• Level 4: Merchants with fewer than 20,000 online transactions a year or any merchant processing up to 1 million regular transactions per year

If you are a Level 1, you have to undergo a formal audit by an authorised PCI Auditor every year. You also have to submit a PCI scan by an Approved Scanning Vendor once a quarter.

However, if you are a Level 2, 3 or 4, you may not have to undergo a formal audit; you can simply complete and submit a Self-Assessment Questionnaire every year. You may also be required to undertake a PCI scan each quarter.

Centium has assisted some of NSW government’s most critical IT service entities with their PCI DSS obligations. We are able to integrate your PCI DSS with your existing ISO 27001 ISMS and NSW Cyber Security Policy obligations. This helps avoid unnecessary duplications, overlaps and gaps.

Contact us to find out more about how we can help you with your PCI DSS obligations and integrating with your ISMS and CSP obligations.