Focusing on the fundamentals:
Written by Vivienne Mutembwa, Privasec’s GRC Consultant
The NSW Government released an update of its Cyber Security Strategy in May 2021. This new strategy encompasses focus areas for both the public and private sector, continuing to strengthen and improve on the NSW Government’s previous strategic planning.
The NSW Government has presented four principles that must be considered as part of executing its strategy:
- Lead by example in best practice and cyber resilience
- Be progressive and proactive to allow cyber workforce to expand
- Seek opportunities to grow cyber industry commercialisation
- Provide practical support to reduce barriers to business growth
In the next segment, we examine the ‘Lead by example in best practice and cyber resilience’ and what this means for our government agencies.
Leading from the front
Although the principles are not given a hierarchy, a standout principle is that of the Government leading by example in ‘best practice and cyber resilience’. Under this principle the government’s programs and initiatives include:
- Increased accountability for agencies’ adherence to the NSW Government Cyber Security Policy mandatory requirements.
- Commitment to establish a Mandatory Notifiable Data Breach scheme intended to improve data handling practices and management of incidences of breaches likely to result in harm by agencies.
- Continuation of preparedness to manage state-wide cyber security risks through the NSW Cyber Security Incident Emergency Management Sub Plan.
Focusing on the fundamentals
The NSW Cyber Security Policy 2019 has 25 Mandatory requirements including:
- Implement an Information Security Management System (ISMS) or Cyber Security Framework (CSF).
- Classify information and systems according to their importance.
- Implement the Australian Cyber Security Centre (ACSC) Essential Eight Strategies to Mitigate Cyber Security Incidents.
The three requirements above involve people, processes and technology related controls and practices that; when established, implemented, and operated effectively; present an opportunity for tailored best practice in managing cyber risk.
The interconnectedness of government agencies and finite resources favours a collaborative approach to cyber resilience. Under the NSW Cyber Security Incident Emergency Management Sub Plan 2018, individual agencies are given responsibilities as part of the whole-of-government plan for significant cyber security incidents or crises affecting NSW Government organisations. These responsibilities include:
- Developing and maintaining cyber incident response plans and business continuity plans that address the risk of a cyber incident to ensure delivery of government services.
- Participating in exercises designed to test their incident management and business continuity arrangements.
- Coordinating cyber security responses at the agency level by relevant security personnel including Cluster CISOs and/or SROs and ECSOCs or delegates.
- Maintaining core business to the greatest extent possible as per agencies’ cyber incident and business continuity plans and undertaking emergency-related roles identified whole-of-government plans.
The introduction of the NSW Mandatory Notifiable Data Breach scheme for agencies will provide further improvement and transparency in data handling practices and management of incidences of breaches likely to result in harm.
Budgeting for Resilience
Introduced in the 2019-20 State Budget, the NSW Government’s Digital Restart Fund is managed by the by the Department of Customer Service (DPC). This fund was established to ‘fund iterative, multi-disciplinary approaches to planning, designing, and developing digital products and services in NSW. It encourages projects that use modern methodology and foster customer-driven business transformation and collaboration across the NSW Government Sector.’
In 2020-21, the NSW government Customer Service Cluster investment comprised of $240.0 million under the Digital Restart Fund over three years allocated to Cyber Security Investments across the sector. This included the initiative for a $20.0 million ($60.0 million expenses over three years) investment in Cyber Security Maturity, a program under the control of the NSW Chief Cyber Security officer in the Department of Customer Service. For 2021-22 the NSW government Customer Service Cluster investment will include a further $500.0 million over three years to increase the Digital Restart Fund (DRF) to the total funding of $2.1 billion.
Although budget funding is intended to support cyber security uplift programs, this is alongside other prioritised programs that focus on digital transformation and modernisation. This highlights the challenge of balancing cyber trust and convenience. The expectation is that agencies will likely have to fund significant portions of their cyber security programs with existing operating budgets, whilst ensuring continued business as usual operations and service delivery. To effectively achieve this requires strategic planning and risk-based prioritisation of program initiatives.
About ISO 27001
ISO 27001 is the international standard that sets out the specification for an information security management system ISMS. It contains a set of best practices to allow organisations to implement a world class risk management system to strategise and coordinate their security investments whilst getting marketable recognition for it.
Many organisations, including governments, are now insisting that their suppliers and contractors demonstrate that they manage security in compliance with ISO 27001. Privasec’s governance approach is centered on the principle that ‘no two organisations are the same’. This means no two effective Information Security Management Systems (ISMS) are ever the same.
ISO 27001 Clauses 4 to 10 prescribes the minimum requirements of the ISO 27001 standard for the establishment of an Information Security Management System (ISMS). It follows the continuous improvement cycle – Plan-Do-Check-Act (PDCA) – which an organisation must establish in order to be able to go through certification.
- Plan – Identify Risk to the Confidentiality, Integrity and Availability (CIA) of assets
- Do – Put relevant controls in place
- Check – Audit the implementation for efficiency and effectiveness
- Act – Improve ineffective or inefficient controls
To design the best possible system, Privasec begins by understanding the business environment, business objectives, constraints, values and culture. Privasec then conducts an initial information risk assessment to identify the actions and priorities for managing information security risks. This highlights major gaps and areas for improvement, which allows Privasec to create an associated and tailored risk treatment plan. Lastly, Privasec helps its clients to remediate their gaps and executes an internal audit program to report on security control effectiveness, progress of risk remediation and provides assurance back to the business for review and action.
To ensure that its client is fully prepared for its certification audit, Privasec leverages the internal audit process to help stakeholders get familiarised and comfortable with the process. Privasec also liaises with the chosen Certification Body to guide the entire process and acts on its client’s behalf during the certification audits.
About Privasec’s ACSC Essential Eight (E8) Maturity Assessment Approach
Privasec follows a mature assessment and auditing approach to provide organisations with assurance on its effective alignment with the Essential Eight controls and roadmap to achieve the highest level of maturity. Our assessment process leverages the people, process, and technology aspects with a combination of advanced auditing tools to provide an objective assessment of risk and compliance to the Essential Eight controls.
Our reports provide a holistic and detailed view of the organisation’s current compliance to the Essential Eight, cyber-risk exposure profile and the current maturity. We also deliver a detailed compliance roadmap against each of the mitigation strategies, with recommendations of ways to achieve the highest level of maturity. These reports form a baseline for the Annual Compliance Reporting and can be used to support the organisation’s cyber-security reporting, for example, NSW Cyber Security Policy Annual reporting and attestations submissions to relevant governance bodies including the Cyber Security Senior Officers Group (CSSOG) and the ICT and Digital Leadership Group (IDLG).
Privasec is one of the fastest growing independent security, governance, risk and compliance consulting firms in South East Asia and Australia. We are driven by business outcomes bridging the gap between the technical and business worlds to create meaningful business cases and enhance decision making. To learn more about us and our services, please visit our website: https://www.privasec.com/