The new NSW Government Cyber Security Policy: Act Now!

February 19, 2019

The NSW government announced its new Cyber Security Policy (CSP) in February 2019.

All NSW State Government agencies and department clusters are required to develop and maintain an ISO 27001 compliant Information Security Management System (ISMS) under the requirements of the State’s CSP and have until 31 August 2019 to definitively and positively attest to the CSP as part of its Annual Report. Requirements have changed from those required under the Digital Information Security Policy (DISP) 2015 which had been in force.  

Centium have already assisted many agencies to migrate from the DISP to the CSP and to update their ISMSes to meet the new obligations. Contact Vinodh Stanley or Henry Jayawardena, both Practice Managers for IT and Information Risk Management for more information on how we can help you.

The new CSP can be viewed here.

What You Should Do

Agencies or cluster Departments have until 31 August 2019 attest to the CSP in their Annual Report and to the Government Chief Information Security Officer (GCISO) including a maturity assessment against the ACSC Essential Eight.

CENTIUM CAN ASSIST agencies and cluster Departments THROUGH THIS PROCESS AS SHOWN BELOW.

In terms of ISMS, item 3.1 still requires agencies to maintain an ISO 27001 and for agencies or cluster departments to either have their ISMS certified or independently reviewed. Centium has worked with dozens of NSW Government Departments and Agencies to develop a compliant ISMS that is bespoke, “fit for purpose” and practical for their needs.

Beyond ISMS, the CSP itself includes 23 other requirements (i.e. 24 in total). We have mapped the CSP requirements to the ISO 27K standard and to the former DISP. This can save you a lot of time and effort in migrating your former DISP and ISMS efforts to align with the CSP.

You’ll find a redacted excerpt of our extensive mapping process below:

DISP CSP ISO 27001 (ISMS) Impact on clients’ existing ISMS
Scope: digital information, ICT Scope: “crown jewels”, cyber security, ICT, IACS, IoT Scope: digital information, ICT Scope: “crown jewels”, cyber security, ICT, IACS, IoT Scope: digital information, ICT Scope: “crown jewels”, cyber security, ICT, IACS, IoT  
CR 1 Must have an ISMS 3.1 Implement an ISMS or Cyber Security Management System that is compliant with recognised standards such as ISO/IEC27001 or ISA/IEC62443 (for IACS) and implement the relevant controls based on requirements and risk appetite.  4.4 Determine whether the client maintains any IACS or IOT such as…
CR 2 Minimum Controls      
Governance  Senior management must provide direction and support for ...    The Information Security Management Systems (ISMS) must include the following governance arrangements:    …;…, and … 1.1 Allocate …   1.2 Governance …   2.3 Foster … Section … ISMS and information security policies need to ...   Establish ...   Define process for security risk assessment … Train staff …
  1.3 Have an approved cyber security plan to …  Section…; Indirectly may be a… Develop and document a Cyber Security Plan with a clear linkage to …
  1.4 Conduct cyber security risk assessments and include... Section … Review the existing ISMS Risk Assessment and enhance it to …
  3.2 Implement and report against …  Section … (indirectly) Section … Assess …
Independent Review  Agencies must … 3.1 At a Cluster or Agency level, there must be: An ISO27001 certification, with annual … An annual, independent …An annual, independent … Ensure the ISMS “management system” component, including the corresponding control … reflects …
Info classification, labelling, handling … 3.3 Classify information and systems according to their importance... …   Report the Crown Jewels to the GCISO.
Controlling access to information … 2.4 Ensure that people who have access to … Security screening is …
Processing, handling, integrity, storage of info and documentation … 3.5 Ensure that new ICT systems or enhancements include processes for … … … …  
Acquisition, development and maintenance of information systems and services. 3.4 Ensure cyber security requirements are built into … …    
Controlling relationships with external parties … 1.5 Remain accountable for ...  Check existing ISMS to ensure supplier relationship management …
Business processes and continuity … 1.3 Have an approved cyber security ..integrated with …    
Security incident management …   1.5 Service providers must …   2.2  Increase awareness …   4.1 Have a current …    4.2 Test …    4.3 Deploy …    4.4 Report …    4.5 Participate in … Ensure contracts …   Ensure the agency has a documented …   Ensure ...   Ensure the agency has tested ...   Ensure the agency has incorporated ...   Determine whether ...
Collaboration and information sharing … 2.5 Share information on … Ensure the agency has …
Training and Awareness … 2.1 Implement regular… Check whether the agency’s ISMS procedures require …
CR 3: ISO 27K certification required by… 3.1 At a Cluster or Agency level, there must be:   An ISO27001 certification, with …, orAn annual, independent …An annual, independent … Section …; …  
CR4: Nominate an SRO. Report … 2.5 Share information on … Section …, Section … Ensure the agency has …
CR5 Annual Compliance Attestation including… 5.1 Report annually by August 31 to ...   5.2 Ensure cyber security risks with a residual rating of …    5.3 Ensure the Agency’s “crown jewels” are identified and reported to the GCISO…    5.4 Provide an attestation on cyber security in … Section …, Section … Annual attestation to GCISO and Agency Head by 31 August each year, including maturity assessment against the EE.   Report cyber security risks with a residual rating of…   Identify and report …   Provide an attestation on cyber security in …
  ESSENTIAL EIGHT    
  Application whitelisting of approved/trusted programs to … … , … Contact Centium to discuss.
  Configure Microsoft Office macro settings to …  … , … Contact Centium to discuss.
  Patch applications e.g. … Patch/mitigate computers with … Contact Centium to discuss.
  User application hardening. Configure … … , … Contact Centium to discuss.
  Restrict administrative privileges to … Contact Centium to discuss.
  Patch operating systems… Contact Centium to discuss.
  Multi-factor authentication including for ... … , … Contact Centium to discuss.
  Daily backups of … Contact Centium to discuss.

How Centium Can Help

We have a team of expert ISMS and cyber security specialists who have worked with dozens of State Government agencies across NSW since 1985. Not only that, we have already assisted numerous agencies to migrate from the DISP to the CSP and to update their ISMSes to meet the new obligations. We have also mapped across the Essential Eight and have many shortcuts and “lessons learnt” to share.

We can help you to:

  • Review and update your ISMS, based on risk and risk appetite, so that your ISMS is bespoke and fit for purpose yet in line with the CSP
  • Identify the gaps which may prevent you from providing a positive CSP attestation by 31 August
  • Guide you on how to fix the gaps in the CSP’s 24 mandatory requirements
  • Enable you to positively attest to the CSP by the deadline
  • Facilitate a smooth transition from the DISP to the CSP
  • Prepare your Essential Eight maturity assessment per CSP requirement 3.2
  • Supplement internal audit capabilities in this area
  • Conduct a technical assessment of your cyber security defences
  • Conduct your ISMS independent internal audits per CSP requirement 3.1
  • Develop and/or test your Cyber Security Incident Response Plan
  • Develop and/or test your Business Continuity and ICT Recovery Plans
  • Assist with cyber security education per CSP requirements 2.1 and 2.2

For more info, download our NSW Government Cyber Security Service Sheet or alternatively, contact:

Vinodh Stanley, Practice Manager, IT and Information Risk Management

Vinodh has 15 years’ experience in the field of ISMS, Information Security, audit and risk management. He has successfully led and managed specialised security teams to improve the security posture of organisations in NSW and internationally and has assisted NSW agencies to transition from the DISP to the CSP.

Henry Jayawardena, Practice Manager, IT and Information Risk Management

Henry has more than 20 years’ experience in ISMS, IT Audit and Technology Risk & Compliance with added exposure in IT advisory risk consulting & Project Management. He has been instrumental in developing a risk analysis procedure during his tenure at the Audit Office of NSW.

Lisa Sampson, Practice Manager, Business Development & Innovation

Lisa has 25 years’ experience in regulatory framework development and compliance, commercialisation across the project lifecycle, mergers and amalgamations, strategic brand building, publicity, marketing and communications.

Our Clients

Top