Understanding the New NSW Cyber Security Policy 2023-2024: Key Changes and Compliance Considerations

The New South Wales (NSW) Government recently unfurled version 6 of the NSW Cyber Security Policy 2023-2024, a pivotal document that delineates mandatory cyber security requirements for NSW Government agencies. It stands as a testament to the government's unwavering commitment to bolstering the security posture of its digital assets and services.

Grasping the key shifts, enhancements, and considerations ushered in by this new policy is paramount, as agencies brace themselves for a new set of control requirements that must be captured in their annual attestations.

Our NSW Director Eric Pinkerton reviewed the new policy, vis-à-vis version 5, and shared the following insights:

My initial thought was, the new policy stretches over 35 pages, in stark contrast to the previous one's 22 pages. In an era where the trend leans towards simplifying and curtailing the verbosity of such documents, one wonders, do we genuinely need an additional 13 pages of directives?

The new policy does indeed furnish more granular details regarding the requirements for implementing controls, alongside specific actions such as:

• Developing and maintaining a cyber security strategy;
• Formalising plans, policies, and processes for cyber security practices; and
• Establishing processes for asset inventory management.

Fear not, though! The new policy sheds light on the assistance available from Cyber Security NSW, including guidance documents and toolkits, signaling a welcome shift towards a more collaborative approach. This is also in line with the increased emphasis on collaboration and support to smaller organisations that historically have been left behind, as per the federal government's 2023–2030 Australian Cyber Security Strategy.

A fresh section on reporting and attestation underscores the significance of accountability and oversight, demonstrating an augmented focus on transparency and governance that is bang on trend.

The new version mandates annual risk assessments and assessments after significant changes, in contrast with version 5, which emphasised the importance of conducting risk assessments, but lacked a specific timeframe. Avoiding tickbox risk management practices and aligning strategic outcomes to the organisation's most pertinent risks (which can change year to year) to maximise return on investment is one of the key indicators of success we see amongst our own clients.

In addition, the new policy introduces a more structured and comprehensive list of expectations for agencies, including the inclusion of cloud services under the ICT systems managed, owned, or shared by the NSW public sector. Admittedly, they're a tad late to the party, but as the saying goes, better late than never. It certainly mirrors the broader trend of escalating reliance on cloud technologies and SaaS platforms, and the imperative to attain assurance they remain secure.

There's also a much stronger emphasis on managing third-party service providers, including establishing and maintaining an inventory of such providers, ensuring contractually supported processes for incident notification, and embedding cyber security requirements in contracts.

Specific reporting responsibilities for departments, agencies, or statutory authorities that fall under the purview of the NSW Cyber Security Policy are delineated, encompassing reporting security incidents, vulnerabilities, and compliance with Mandatory Requirements to entities that utilise their services.

An updated compendium of useful links and references, including guidance on data breaches, risk management toolkits, and standards on records management, accurately reflects an evolving cyber security resource landscape.

Both policies touch on exemptions and extensions, but the new policy specifies a deadline (prior to 30 September) for submitting such requests in writing to Cyber Security NSW. This addition heralds a more formalised process for seeking exemptions or extensions - a step in the right direction for finding a pragmatic balance between operational suitability and security.

Where the rubber really meets the road for this change is the shift from a relatively simplistic set of twenty requirements under version 5:

To a far more prescriptive set of requirements in version 6 (comprising no fewer than 117 separate detailed requirements):

What is commendable in this change is the increased specificity in requirements (which will result in far less ambiguity), the continued emphasis on risk management, and updates that mirror the current technological and threat landscape.

However the additional burden this will place on agencies, to meet and attest to each of these line items, will be considerable - and may be challenging for smaller agencies that may currently lack the knowledge or resourcing to meet these expanded requirements.

Whilst this policy will pave the way for better-prepared agencies, more robust cyber security postures, and a clearer delineation of responsibilities across the state, it may be somewhat of a ‘moon shot’ without significant additional support.

As a result, we may continue to see reporting across the state that the majority of agencies are falling short of their obligations to meet these requirements.

To review the policy itself, you can find it in full at Digital NSW at the following location: https://www.digital.nsw.gov.au/sites/default/files/2024-02/NSW-Cyber-Security-Policy-2023-2024.pdf

To learn more about how Phronesis Security's capabilities and experience in helping NSW Government agencies meet their cyber security obligations, you can learn more and get in touch at the following location: https://www.phronesissecurity.com/industries/government