INSIDE THIS ISSUE
It’s easy to engage us!
WILL YOU MAKE THE 31 AUGUST DEADLINE?
Many agencies are scurrying to fulfill their obligations under the NSW Cyber Security Policy (CSP) by the 31 August 2019 reporting deadline.
The NSW CSP replaced the NSW Digital Information Security Policy in February this year. It applies to all NSW Government Departments and Public Service Agencies (Government Sector Employment Act 2013 Schedule 1 Public Service agencies) and sets out 24 mandatory requirements including the need for an independent review of compliance.
By 31 August each year, you need to submit a report to your Agency head and GCISO, in a template provided by GCISO, covering the following:
You also need to include an attestation in your annual report and provide a copy to GCISO.
Machinery of government changes: implications for CSP reporting obligations
As clusters are being restructured on 1 July 2019, the ownership of some IT systems and operational technology will change. In May 2019, the Secretaries Board agreed that attestation against the Cyber Security Policy will be done by departments and agencies within their respective post 1 July organisational arrangements. Cyber Security NSW has advised it is considering options for how to accommodate any anomalies this may create for cluster reporting and will update the Cyber Security Steering Group and Community of Practice on a regular basis.
Maintaining an operational Information Security Management System (ISMS) is a key requirement of the CSP. Centium has been helping agencies to adapt their existing ISMS to integrate into their (new) cluster’s existing ISMS. This can be a delicate exercise given that it’s important to not just spot gaps in the different ISMSes, but also to identify and remove overlaps that can give rise to unnecessary administrative effort and cost.
Centium has assisted agencies to review and unify disparate ISMSes into a cohesive and efficient singular management system. We have also been helping agencies to identify and assess their “crown jewels”, and conducting maturity assessments against the Essential 8, to help them prepare for their 31 August 2019 deadline.
Contact us to find out how Centium can help your agency or cluster to adapt and unify multiple ISMSes into an efficient and effective management system, and how you can meet your 31 August 2019 CSP deadlines.
APRA CPS 234
ARE YOU COMPLIANT?
APRA's Prudential Standard CPS 234 Information Security (CPS 234) came into effect on 1st July 2019. APRA has now released its Prudential Practice Guide (CPG), which sets out guidelines relating to board oversight, information security controls and notification of information security incidents in support of the CPS.
All APRA-regulated entities, including ADIs, general insurers, life insurers, private health insurers, RSE licensees, and authorised or registered non-operating holding companies, must comply with the stringent information security requirements set out in CPS 234 from 1 July 2019.
Importantly, where an APRA-regulated entity is the head of a group, it must comply with the requirements of CPS 234 by ensuring the requirements are applied appropriately throughout the group, including in relation to entities which are not regulated by APRA.
The CPG is not binding. Nonetheless, it provides context about how APRA is likely to enforce the stringent obligations under CPS 234, particularly given its new 'constructively tough' approach to enforcement. The guidance also clarifies some of the steps that ADIs, insurers, superannuation licensees and other APRA-regulated entities should be taking now in relation to board oversight, information security controls and notification of information security incidents.
There's another catch: Although organisations that regularly manage data, software, systems or hardware for APRA-regulated entities (i.e. service providers) may not be directly caught by CPS 234, they are likely to be contractually bound to comply with certain CPS 234 obligations (in particular, those relating to the management or auditing of information security risks and those of sub-contractors) under agreements with APRA-regulated entities.
For many entities, identifying and implementing compliance uplifts will take some time. APRA has said that regulated entities should advise their APRA supervisor if they will not be able to fully comply with CPS 234 from 1 July 2019.
How Centium can help
CPS 234 can't be dealt with in isolation. Entities will need to take a holistic approach to information security and data governance, and also take into account their broader privacy, information security compliance, business continuity and governance obligations.
Centium is very well positioned to assist APRA regulated entities to meet their obligations under the CPS and CPG. The requirements are very similar to those set out in the NSW Government CSP, the VIC PDSF, ISO 27K and the Cth PSPF/ISM. We can bring three decades' worth of government security experience to the private sector. Remember that we were engaged by one of our competitors (RSM) to help them on their ISO 27K certification path given our good reputation within government.
To find out more, please contact our Director IT & Information Risk Management.
EFFICIENCY GAINS THROUGH GOOD RECORDKEEPING
Many public offices will be transferring functions to other agencies or merging into new clusters as a result of Machinery of Government (MoG) changes. If business activities or functions are being transferred, then records will also be transferred.
Agencies should ensure there are agreements or MOUs about what records are to be transferred, and a plan about how records are to be managed throughout the transition.
In the case of digital records, the transition may involve moving data from one system to another, or from one service provider to another.
Before migrating data, it is important to have undertaken an appropriate risk assessment as this will inform the migration planning and testing processes used. Centium can help agencies with their records management planning and testing processes as part of MoG changes to include:
To find out more about how Centium can assist you meet your records management obligations during a MoG change, please contact a Centium Practice Lead for an informal chat.
NEW DISPOSAL AUTHORITY FOR PATIENT RECORDS
WHAT YOU NEED TO DO
The revised General Retention & Disposal Authority (GDA) for Public Health Service Patient Records was issued on 30 May 2019. It applies to any organisation, facility or service which is part of the NSW public health system as well as NSW public offices who provide health care services to clients, such as NSW universities.
There have been some increases to retention periods around children's and mental health records, as well as records relating to sexual assault of minors. The indefinite retention of obstetric records has been removed although the records are required to be retained for 50 years after date of the birthing episode.
The amendments to GDA17 do not affect records that have already been destroyed or transferred as State archives. However, where minimum retention periods have changed and the records have been sentenced, local health districts will need to ensure that the correct disposal action has been applied to the records.
What our clients should do
Actions to take include:
To find out more about how Centium can help you improve your records management practices, please contact a Centium Practice Lead for an informal chat.
CAN YOU SLEEP AT NIGHT KNOWING THAT ALL WILL BE FINE?
Many NSW government agencies already have elements of business continuity plans and associated IT recovery plans. These form part of overall organisational resilience and good risk management.
But how confident are you that your plans are up to date and that the right people know what to do? When was the last time your plan was updated and tested? Will the Machinery of Government (MoG) changes affect your plans?
Centium has been assisting NSW government agencies to enhance and test their business continuity plans, IT recovery plans and overall emergency response plans for decades. We apply practical learnings and better practices from having worked with nearly all government agencies over time. Now is an ideal time to update your plans given the MoG changes.
Here are some ways in which we’ve worked with our state and local government clients in the recent past:
Contact us to find out more about how we can help your agency with its business continuity and resilience efforts, particularly in light of MoG changes.
INTEGRATING PCI DSS WITH YOUR ISMS AND CSP OBLIGATIONS
Many state and local government agencies provide some form of online payment facility to the community or other parties. Agencies (whether merchants or service providers) that deal with cardholder data must comply with the Payment Card Industry Data Security Standard (PCI DSS). The DSS address 12 security requirements over six areas:
What you need to do to comply
There are a couple of decision points to make to identify your precise compliance requirements. First, determine whether you are a Level 1, 2, 3 or 4. This depends on the number of real-world debit/credit card transactions per annum. This is important to get right as it determines the amount of assessment and security validation required to pass PCI DSS assessment.
The PCI DSS merchant levels are:
If you are a Level 1, you have to undergo a formal audit by an authorised PCI Auditor every year. You also have to submit a PCI scan by an Approved Scanning Vendor once a quarter.
However, if you are a Level 2, 3 or 4, you may not have to undergo a formal audit; you can simply complete and submit a Self-Assessment Questionnaire every year. You may also be required to undertake a PCI scan each quarter.
Centium has assisted some of NSW government’s most critical IT service entities with their PCI DSS obligations. We are able to integrate your PCI DSS with your existing ISO 27001 ISMS and NSW Cyber Security Policy obligations. This helps avoid unnecessary duplications, overlaps and gaps.
Contact us to find out more about how we can help you with your PCI DSS obligations and integrating with your ISMS and CSP obligations.