Cyber security

Direction and guidance on the department’s expectations for cyber security, to support the ongoing secure operation of the department and to enable staff and students to work and learn in a safe digital environment. This policy is a requirement under the NSW Cyber Security Policy and ISO/IEC 27001 Information Security Management Systems Requirements.

Audience

All staff, including contractors, and any parties that access or use the department’s systems or information.

Version Date Description of changes Approved by
V02.1.0 02/08/2024

Re-allocation of Chief Information Security Officer (CISO) responsibilities to the Chief Information Officer (CIO) and Director, Security

Chief Information Officer

V02.0.0 13/05/2024

Updated under the 2023 Policy and procedure review program, including name change from Information Security policy to Cyber security policy, conversion into the new template, and improved readability. Clarified and expanded roles and responsibilities in alignment with the NSW Cyber Security Policy. New policy document ‘Cyber security procedures’ added.

Chief Information Security Officer

Document history

2022 Mar 15 - updated Payment Card Industry Data Security link in policy statement.

2022 Oct 31 - Cyber Security email contact address updated.

2022 Feb 28 - updated policy statement to include the department's requirement to comply with the Payment Card Industry Data Security Standard whenever credit card payments are processed (including within schools).

2021 Dec 07 - update to policy statement - updated contact details.

2020 Dec 01 - rescinded implementation document: Information Security Policy Guidelines.

2020 Sep - minor policy update. Change in responsibility and delegation in line with the creation of the Chief Information Security Officer.

2020 Apr - minor updates to text and contact details.

Superseded documents

This policy replaces the rescinded Information Security Policy PD/2013/0453.

  1. Policy statement
    1. The department is committed to providing trusted and secure digital services that protect the confidentiality, integrity and availability of its information.
    2. The department exercises a risk-informed approach to managing cyber security as defined by the Enterprise risk management policy and procedures.
    3. In developing and implementing cyber security, the department maintains compliance with the:
      1. NSW Cyber Security Policy and its mandatory requirements
      2. Australian Cyber Security Centre’s Essential Eight
      3. ISO/IEC 27001 Information security management systems – Requirements
      4. ISO/IEC 27002 Information security controls.
    4. The department has developed, implemented and maintains an approved cyber security plan and Information Security Management System that is integrated with the Information Technology directorate’s business continuity arrangements and department’s enterprise risk management procedures.
    5. The department has a current cyber incident response plan that is integrated with the department’s incident management process and the NSW Cyber Security Incident Emergency Sub Plan. The department must exercise its cyber incident response plan at least every year.
    6. All staff are responsible for cyber security and must follow the cyber hygiene requirements set by the NSW Government in its circular, DCS-2020-05 Cyber Security NSW directive - Practice Requirements for NSW Government.
    7. All staff must report cyber security risks or incidents to the department’s Cyber Security team.
    8. All staff, including contingent workers, and third-party contractors, must complete cyber security awareness training annually. Managers must ensure staff are trained to perform any cyber security duties related to their role.
    9. All staff must ensure appropriate cyber security requirements are built into:
      1. procurements where department data is involved and request a cyber security assessment
      2. early stages of projects and the systems that are used and maintained.
    10. The Cyber Security team and service owners must ensure that appropriate access controls and security screening processes are in place for people with privileged access or access to sensitive or classified information. Managers are responsible for ensuring that access is appropriate and consistent with the day-to-day responsibilities and monitored within their teams.
    11. All staff must comply with the department’s Policies, strategies and standards on cyber security, which are aligned with industry best practice and the department’s cyber risk profile.
  2. Context
    1. The Cyber security policy is a mandatory document for the department’s certified ISO/IEC27001 ISMS. The department’s information security management system enables it to comply with mandatory NSW legislative and regulatory requirements and identify, manage and achieve its information security objectives.
  3. Contact
    1. Director, Cyber Security
      CyberSupport@det.nsw.edu.au
      1300 32 32 32 (select 5)
  4. Monitoring the policy
    1. The Director, Cyber Security monitors the implementation of this policy, regularly reviews its contents to ensure relevance and accuracy, and updates it as needed.

Return to top of page Back to top