Last updated: 13/05/2024

Policy statement

Cyber security

Implementation date: 13/05/2024
Reference number: PD-2015-0465-02-V01.0.0
Publicly available: Yes
Policy cluster: Technology

Cyber security procedures

Direction and guidance on securing the department’s digital devices, services and information to enable staff and students to work and learn in a safe digital environment. Understand employee responsibilities in maintaining security and protecting the confidentiality, integrity and availability of information in line with the department’s Cyber security policy.

Audience

All staff in schools and education support settings, including contractors, and any parties that access or use the department’s digital devices, services, and information.

Changes since previous update

Version	Date	Description of changes	Approved by
V01.0.0	13/05/2024	Under the 2023 Policy and procedure review program, new policy document developed.	Chief Information Security Officer

About the policy

Policy requirements

These procedures relate to the Cyber security policy.

Definitions

Term	Definition
Audit and Risk Committee (ARC)	Provides independent advice and support to the Secretary regarding the department's governance, risk and internal control frameworks as well as external accountability obligations. The responsibilities of the committee include seeking assurance around, and conducting a review of, key areas: risk management governance and accountability external accountability compliance and ethics internal audit external audit.
Business owner	Owns the application from the business side. They are responsible for: the business functions that rely on the IT assets, including the applications and services ensuring that IT assets meet the needs of the business, and that they are used in line with relevant policies and regulations.
Cyber incident	An occurrence or activity that threatens or has compromised the confidentiality, integrity or availability of a system or the information stored, processed or communicated by it. This includes the security of the department’s digital devices, systems and information, information and communications technology (ICT) infrastructure or personal information held by the department.
Cyber Security team	The team within the Information Technology Directorate that manages the day-to-day cyber functions within the department.
Cyber Security Working Group	A monthly consultative forum that supports the department in complying with mandatory requirements under the NSW Cyber Security policy. The Chief Information Security Officer (CISO) chairs the forum, which is made up of executive representatives from across the department.
Data breach	This occurs when personal, health, commercially sensitive or otherwise confidential information held by the department is accessed or disclosed without authorisation or is lost.
Data or department data	A collection of organised items. This may consist of numbers, words, or images, particularly as measurements or observations of a set of variables. Department data refers to all data gathered, communicated, managed or used by the NSW Department of Education.
Digital devices	Electronic devices that can receive, store, process and share digital information and connect to applications (apps), websites and other online services. They include desktop computers, laptops, tablets, smartwatches, smartphones and other devices.
Health information	Personal information relating to or collected in providing for a person’s physical or mental health, health services and donations, genetic information and other health care identifiers. Examples include, but are not limited to: personal information provided to any health organisation a health service already provided to a staff member or student a health service that is going to be provided a health service a staff member or student has asked to be provided some genetic information about a staff member or student, their relatives or descendants.
Information	Any communication or representation of knowledge such as facts, data, or opinions in any medium or form.
Information security management system (ISMS)	The policies, procedures, guidelines and associated resources and activities, collectively managed by an organisation in the pursuit of protecting its information assets. A systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organisation’s information security to achieve business objectives (ISO/IEC 27000:2018).
ISMS Framework	Outlines the scope and operation of the department’s ISMS, allows the department to measure its performance against the objectives of its cyber security plan, and is provided to Cyber Security NSW each year as evidence of compliance.
ITD	Information Technology Directorate.
Personal information	Information or an opinion (including information or an opinion forming part of a database, whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. Examples include, but are not limited to: a written record that may include a person’s name, address and other details photographs, images, video or audio footage fingerprints, retina prints, body samples or genetic characteristics.
Risk appetite	The amount and type of risk the department is willing to undertake to achieve its strategic objectives in line with our Enterprise risk management policy.
Risk informed	A decision-making process where information about potential risks and their consequences is used to make decisions.
Sensitive information	This includes: personal information health information information that could be subject to legal privilege commercial-in-confidence information law enforcement information NSW Cabinet information National Cabinet information. The NSW Government collects, stores and manages sensitive information as a part of normal business processes.
Service owner	Responsible for developing, procuring, integrating, modifying, operating, maintaining, and final disposal of an information system.
System	Any application or ICT configuration item that stores, transmits, creates or uses information.

Roles and responsibilities

The Secretary:

appoints appropriate senior executive officers and a governance committee to oversee and implement the department’s obligations under the NSW Cyber Security policy
ensures the department implements and maintains an effective cyber security plan
determines the department’s risk appetite (refer to the Enterprise risk management Toolkit) using the approved whole-of-government Internal Audit and Risk Management Policy, (refer to NSW Treasury’s Internal audit and risk management) defining how much and what type of risk the department is willing to take on to achieve its objectives.

The Audit and Risk Committee (ARC):

governs key compliance activities.

The Cyber Security Working Group:

is a consultative forum that contributes and consults on key compliance activities
promotes a cyber-safe culture across the organisation, to ensure cyber security is understood as a shared responsibility
promotes cyber safety practices and the importance of following the associated standards and procedures in all schools and education support settings.

System business owners and service owners:

cooperate with the Cyber Security team during the preparation of the annual maturity report and other compliance activities as required
with the assistance of asset support staff, develop and implement technical information security safeguards to manage identified risks.

The Chief Information Officer (CIO):

oversees and implements the department’s Cyber security policy, sets the strategic direction for the Cyber Security team, establishes department cyber security programs and plans, and appropriately resources and supports department cyber security initiatives, including training and awareness and continual improvement initiatives
supports the department’s cyber security plan
allocates funding and resources to develop, implement, and maintain an Information Security Management System (ISMS)
enables industry best practice for identifying assets, assessing risk and applying appropriate controls within the department’s scope
determines the scope of CIO and Chief Operating Officer responsibilities for cyber security relating to assets such as information, building management systems and industrial automation and control systems
ensures a secure-by-design approach for new initiatives and upgrades to department systems.

The Chief Data Officer:

supports the department’s cyber security plan.

The Chief Information Security Officer (CISO):

ensures compliance with the NSW Cyber Security policy and supports the department to implement and maintain an effective cyber security program and plan including via effective collaboration and governance forums
ensures the Cyber Security team develops, implements, and maintains the plan
submits a maturity report to Cyber Security NSW each year (by 31 October)
approves the Information Security Management System (ISMS) and
- allocates resources for its function and manages the budget and funding for the cyber security program
- endorses or approves policies, procedures, practices and tools to ensure compliance with the NSW Cyber Security policy
- assesses and provides recommendations on any exemptions to department cyber security policies and standards
- ensures the ISMS achieves its intended outcomes
- reports on the performance of the ISMS to the department’s executive
develops a cyber security strategy, architecture and risk management process that incorporates these with the department’s current Enterprise risk management policy and framework
reports cyber incidents to the department’s executive and Cyber Security NSW in alignment with
- Cyber Security NSW severity definitions (refer to Cyber Security NSW glossary)
- the department's Cyber Incident Response Plan.

The Chief Operating Officer (COO):

supports the department’s cyber security plan.

The Director, Cyber Security Operations:

coordinates the implementation and day-to-day operation of the Information Security Management System (ISMS) Framework and ensures the ISMS meets the required international standards
develops and maintains cyber security standards, procedures and guidelines
manages the life cycle of cyber security platforms including design, deployment, ongoing operation, and decommissioning
ensures appropriate management of the availability, capacity and performance of cyber security hardware and applications
provides input and support to regulatory compliance and assurance activities and manages any resultant remedial activity
acts as a focal point within the department for all matters related to information management required to support cyber security
escalate and report cyber incidents that involve information damage or loss to the Legal Services directorate
measures the performance of the ISMS and reports to the CISO
coordinates cyber security risk assessments across ISMS assets and third-party vendors that send or receive ISMS asset data, and ensures identified risks are managed to an acceptable level
in accordance with the ITD Contract Management Framework, ensures third-party ICT service providers
- understand and comply with the department’s cyber security requirements
- operate within the department’s information security requirements (refer to ICT contract requirements) and participate in security and performance reviews as required
manages and coordinates the response to cyber security incidents, changing threats, and vulnerabilities.

The Cyber Security team:

develops, implements, and maintains the department’s cyber security plan
prepares the maturity report for Cyber Security NSW each year
develops, maintains, and implements mandatory cyber security training for all employees, regardless of their role or level of access, to gain the appropriate knowledge to protect sensitive information and mitigate potential risks
provides access to mandatory cyber security training to increase awareness
encourages the reporting of cyber security risks by all staff
shares information about using department devices, systems, and information properly and securely
establishes and enforces appropriate access controls and security screening procedures for individuals granted access to department devices, systems, and information
in collaboration with relevant executive staff and service owners of ISMS assets –implements the Information Security Management System (ISMS) and develops an ISMS Framework, with operational and administrative support, advice and governance from the Director, Cyber Security Operations
when ICT projects are initiated
- reviews the project and its compliance against relevant security standards
- reviews design and architecture documentation
develops, maintains, reviews and completes performance analysis of the Cyber Incident Response Plan as part of continual improvement.

The Audit directorate:

conducts systematic and periodic checks to ensure the effective implementation and operation of the ISMS against the framework.

The Chief Risk Office:

ensures cyber risk frameworks align with the Enterprise Risk Management Framework (refer to Policy and framework) and are applied when assessing cyber security risks and setting the department’s risk appetite.

The Manager, IT Audit, Assurance and Risk:

coordinates internal audit programs for cyber security
coordinates updates to the Enterprise Risk Register.

Asset support staff:

work in collaboration with the Cyber Security team to ensure the department’s information security management practices are continuously improved in line with NSW Government requirements
monitor and respond to cyber security incidents and events
report cyber security incidents to the Cyber Security team.

All principals and managers:

ensure staff remain compliant with mandatory training requirements and monitor completion through their SCOUT Compliance reports
ensure the Cyber security policy and applicable policies, standards and procedures are effectively communicated and implemented throughout all schools and education support areas
identify and report cyber threats
communicate information security matters to technology support staff and information users
collaborate with ITD staff to manage security requirements for their systems.

All staff (including contingent workers and third-party contractors):

contribute to the department’s cyber security culture by exercising a duty of care to protect the department’s system and information, participating in mandatory cyber security training and reporting all known or suspected cyber security risks
complete annual mandatory training (refer to Professional learning [staff only]. Training is available through the department’s professional learning platform)
comply with the Cyber security policy and other applicable policies, standards and procedures for using department devices, systems, and information properly and securely
use digital devices provided by the department for official purposes only and exercise a duty of care to protect the department’s digital systems and information
apply the same duty of care when using a personal device to access department systems and information. Additional actions as required under the Digital devices and online services – staff use policy ensure these devices remain secure
report any known or suspected cyber security risks to the appropriate risk and control owners within schools and business units through the department’s Cyber Incident Response Plan
cooperate with relevant Cyber Security and Chief Risk Office staff to manage identified risks in line with the department’s risk appetite
be aware of and have access to the department’s Enterprise risk management policy and framework to support risk-informed decision-making
when initiating ICT projects or activities where department data is being transmitted or received, consult the Cyber Security team throughout the project’s lifecycle
when initiating or managing projects, initiatives or activities with an AI component, engage the AI Review Service and AI Executive Leadership Group (ELG) for review and approval before proceeding
when managing student data, obtain parental or carer consent for the use of online applications where appropriate, as outlined in this procedure
consider whether a data breach has occurred when reporting an incident or event. Any data breach has additional reporting requirements in line with the Data breach response plan
comply with the department’s Cyber security standards (refer to Policies, strategies and standards) to manage the security of assets such as staff and student health, personal and other sensitive information.

Any company with a current ProcureIT, Core&, ICTA or MICTA contract, or any other current contract signed with the department:

annually completes their in-house cyber awareness training
incorporates information security requirements into new and continuing procurement of information and communications technology (ICT) and digital goods and services contracts. This includes ensuring that contract requirements are complied with.

What needs to be done

The department must comply with the NSW Cyber Security policy to ensure it appropriately manages cyber security risks to its information. This information is spread across education support and school environments and includes personal, health, confidential and legally privileged information.

The Secretary must ensure the department:

maintains secure digital devices, systems and information
protects the confidentiality, integrity and availability of information
creates a culture of cyber security resilience
reports on compliance with the NSW policy.

1. Planning and governance

To ensure appropriate governance and planning, the department must:

appoint specific roles and responsibilities to perform cyber security functions
develop, implement and maintain a department-wide cyber security plan, which must include the department’s general approach to uplift cyber security capabilities and build resilience
annually report to Cyber Security NSW on the department’s cyber security maturity.

1.1 The Secretary allocates roles and responsibilities for cyber security

The Secretary must appoint appropriate senior executive officers and a governance committee to oversee and implement the department’s cyber security obligations.

Cyber security roles and responsibilities

The NSW Cyber Security policy guides the requirements for the department’s roles and responsibilities for cyber security. For a full list of assigned responsibilities, refer to Policies, strategies and standards, the Cyber Security Responsibilities (PDF 198 KB) matrix.

The Secretary must appoint:

the Chief Information Officer who must oversee and implement the department’s Cyber Security policy, set the strategic direction for the Cyber Security team, establish department cyber security programs and plans, and appropriately resource and support department cyber security initiatives, including training and awareness and continual improvement initiatives
the Chief Information Security Officer who must ensure compliance with the NSW Cyber Security policy and support the department to implement and maintain an effective cyber security program and plan including via effective collaboration and governance forums
a governance committee, the Audit and Risk Committee, which governs key compliance activities
a consultative forum, the Cyber Security Working Group, which contributes and consults on key compliance activities.

1.2 The Chief Information Security Officer develops a cyber security plan

The Chief Information Security Officer (CISO) ensures the Cyber Security team develops, implements, and maintains a cyber security plan.

Cyber security plan

The cyber security plan consists of the:

Cyber Security Strategy (PDF 3.3 MB) (refer to Policies, strategies and standards)
Cyber Uplift Program Plan.

The plan is based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework and aligns with the NSW Cyber Security Policy and the Australian Cyber Security Centre’s Essential Eight. The plan must:

be integrated with business continuity procedures
include consideration of threats, risks and vulnerabilities that impact the protection of the department’s digital systems and information within the department’s cyber security risk tolerance
outline the department’s goals, initiatives and general approach to uplift cyber security capabilities and build resilience across the department.

1.3 The Chief Information Security Officer reports to Cyber Security NSW

Each year (by 31 October), the Chief Information Security Officer (CISO) must submit a maturity report to Cyber Security NSW.

Cyber security reporting

The Cyber Security team prepares the report using the template provided by Cyber Security NSW, which must provide assurance of the department’s compliance with the NSW Cyber Security policy, including:

evidence of its maturity against all mandatory requirements in the NSW Cyber Security Policy and the Australian Cyber Security Centre’s (ACSC) Essential Eight for the previous financial year
a list of cyber security risks with a residual rating of high or extreme and a list of the department’s ‘crown jewels’
an attestation on cyber security signed off by the Secretary.

Service owners, as well as other relevant stakeholders across the department, must cooperate with the Cyber Security team throughout this process.

2. Build a cyber security culture

The Cyber Security Working Group must promote a cyber-safe culture across the organisation, to ensure cyber security is understood as a shared responsibility.

The Cyber Security team must:

provide access to mandatory cyber security training to increase awareness and encourage the reporting of cyber security risks by all staff
share information about using department devices, systems, and information properly and securely
establish and enforce appropriate access controls and security screening procedures for individuals granted access to department devices, systems, and information.

All staff must contribute to the department’s cyber security culture by:

protecting the department’s system and information
participating in mandatory cyber security training
reporting all known or suspected cyber security risks.

2.1 Complete mandatory training

The Cyber Security team must develop, maintain and implement mandatory cyber security training to help all employees gain the appropriate knowledge to protect sensitive information and mitigate potential risks.

All staff, including contingent workers and third-party contractors, must complete annual mandatory training (refer to Professional learning [staff only]. Training is available through the department’s professional learning platform).

Principals and managers must ensure staff remain compliant with mandatory training requirements by monitoring completion through SCOUT compliance reports. For more information on the compliance reports refer to:

Refer to Cyber safety’s Professional learning for a list of mandatory cyber security training courses.

Outsourced ICT service providers must also annually complete their in-house cyber awareness training and may be required to provide evidence of completion to the department’s contract manager. Refer to ICT contract requirements for more information.

2.2 Practice cyber safety

All staff must comply with the Cyber security policy and other applicable policies, standards and procedures for using department devices, systems and information properly and securely, including:

Code of conduct
Digital devices, services and information - staff use policy
Cyber security standards (refer to Polices, strategies and standards).

In particular, staff must comply with the requirements in the Digital devices, services and information – staff use policy when:

travelling overseas (for personal or work-related reasons) – refer to section 4 Taking or accessing department digital devices, services and information from overseas’)
using department-provided digital devices – use these for official purposes only and protect the department’s digital systems and information
using a personal device to access department systems and information – protect the department’s digital systems and information and ensure these devices remain secure.

All principals and managers must also ensure the Cyber security policy and applicable policies, standards and procedures are effectively communicated and implemented throughout all schools and education support areas.

Action by staff that goes against these practices is deemed unacceptable use and may be subject to disciplinary action.

3. Manage cyber security risks

To safeguard and secure its information and systems, the department manages its cyber security risks by:

implementing and maintaining an Information Security Management System
owning and managing risks and controls in line with the Enterprise risk management policy and the Enterprise risk management framework (refer to Policy and framework) and Toolkit. These documents provide comprehensive guidance on identifying, analysing, evaluating, treating, monitoring and communicating risks associated with any activity, function or process.

3.1 Implement and maintain an information security management system

The department must implement and maintain an information security management system (ISMS) and framework, as outlined in this section.

The ISMS framework outlines the scope and operation of the department’s ISMS, allows the department to measure its performance against the objectives of the department’s cyber security plan, and is provided to Cyber Security NSW each year as evidence of compliance (as outlined in 1. Planning and governance).

The Audit directorate must conduct systematic and periodic checks to ensure the system’s effectiveness against the framework.

Service owners of ISMS assets and asset support staff must support the system’s implementation in collaboration with the Cyber security team.

3.1.1 The Chief Information Office develops an information security management system

The Chief Information Officer (CIO) must allocate funding and resources to develop, implement and maintain an Information Security Management System (ISMS) that:

aligns with the requirements in the NSW Cyber Security policy and the Australian Cyber Security Centre’s Essential Eight
maintains compliance and certification with the following international standards:
- ISO/IEC 27001 – ISMS Requirements – for establishing, implementing, maintaining, and continuously improving our information security management systems
- ISO/IEC 27002 – ISMS Controls – for implementing the necessary controls, policies, and procedures to mitigate risks and safeguard sensitive information
enables industry best practice for identifying assets, assessing risk and applying appropriate controls within the department’s scope.

The CIO also needs to:

determine the scope of CIO and Chief Operating Officer responsibilities for cyber security relating to assets such as information, building management systems and industrial automation and control systems
ensure a secure-by-design approach for new initiatives and upgrades to department systems.

3.1.2 The Cyber Security team implements the system and framework

The Cyber Security team must implement the ISMS and develop an ISMS framework in collaboration with the Director, Cyber Security Operations. The director must also:

develop and maintain cyber security procedures and guidelines
manage the life cycle of cyber security platforms including design, deployment, ongoing operation, and decommissioning
ensure appropriate management of the availability, capacity and performance of cyber security hardware and applications
provide input and support to regulatory compliance and assurance activities and manage any resultant remedial activity
act as a focal point within the department for all matters related to information management required to support cyber security
escalate and report cyber incidents that involve information damage or loss to the Legal Services directorate
measure the performance of the ISMS and report to the Chief Information Security Officer (CISO).

The CISO is responsible for approving the ISMS and must also:

allocate resources for its function and manage the budget and funding for the cyber security program
endorse or approve policies, procedures, practices and tools to ensure compliance with the NSW Cyber Security Policy
assess and provide recommendations on any exemptions to department cyber security policies and standards
ensure the ISMS achieves its intended outcomes
report on the performance of the ISMS to the department’s executive.

3.1.3 All staff must comply with department cyber security standards

All staff must comply with the department’s Cyber security standards (refer to Policies, strategies and standards for all the information staff need to comply) to manage the security of assets such as staff and student health, personal and other sensitive information.

The current list of standards is:

API Security Standard
Cryptography Standard
Data Centre Physical Security Standard
Data Masking and De-Identification Standard
Identity and Access Management Standard
Logging and Monitoring Standard
Network Security Standard
Operating System Security Standard
Patch Management Standard
Password Standard
Privileged Access Management Standard
Remote Access Standard
Secure Coding Standard
Vulnerability Management Standard.

3.2 Manage cyber risk

The department determines its risk appetite and develops a cyber security strategy to respond to this, as outlined below.

3.2.1 The department determines its cyber security strategy

The department operates a threat driven, risk informed approach to managing cyber security risks. At an enterprise governance level:

the Secretary, in consultation with the Chief Risk Officer, must determine the department’s risk appetite (refer to Toolkit) using the approved whole-of-government Internal Audit and Risk Management Policy (refer to NSW Treasury’s Internal audit and risk management), defining how much and what type of risk the department is willing to take on to achieve its objectives
the Chief Information Security Officer (CISO) must develop a cyber security strategy, architecture and risk management process that incorporates these with the department’s current Enterprise risk management policy and framework (refer to Policy and framework).

To effectively manage cyber risk, all staff must:

report identified cyber security risks to the appropriate risk and control owners within schools and business units (this may be to a manager, principal, or other delegated staff member – refer to Reporting a security incident for more information)
cooperate with relevant Cyber Security and Chief Risk Office staff to manage identified risks
be aware of and have access to the department’s Enterprise risk management policy and framework (refer to Policy and framework) to support risk-informed decision-making.

All principals and managers who own and control risk, including business owners and service owners, must (in line with the Enterprise risk management policy and framework [refer to Policy and framework]:

identify cyber threats and rate the likelihood and consequences should those threats be realised
communicate information security matters to technology support staff and information users
collaborate with ITD staff to manage security requirements for their systems.

3.2.2 The department coordinates and manages risk

The Director, Cyber Security Operations must coordinate cyber security risk assessments across ISMS assets and third-party vendors that send or receive ISMS asset data, and ensure identified risks are managed to an acceptable level.

As part of this, service owners, with the assistance of asset support staff, must develop and implement technical information security safeguards to manage identified risks.

The Chief Risk Office must:

ensure cyber risk frameworks align with the Enterprise Risk Framework and are applied when assessing cyber security risks and setting the department’s risk appetite

The Manager, IT Audit, Assurance and Risk must:

coordinate internal audit programs for cyber security
coordinate updates to the Enterprise Risk Register.

3.3 Ensure ICT service providers comply with cyber security requirements

All staff responsible for managing information and communications technology (ICT) contracts must incorporate information security requirements into new and continuing procurement of ICT and digital goods and services contracts. This includes ensuring that contract requirements are complied with.

Refer to ICT contract requirements for details and for a list of goods and services to which these requirements may apply.

The Director, Cyber Security Operations must work with contract managers and Procurement to ensure that third-party ICT service providers:

understand and comply with the department’s cyber security requirements
operate within the department’s ICT contract requirements and participate in security and performance reviews as required.

Staff responsible for initiating ICT projects or managing student data in online applications must read the applicable requirements below.

3.4 Ensure ICT projects or AI initiatives comply with requirements

All staff initiating ICT projects or activities where department data is being transmitted or received, must consult the Cyber Security team throughout the project’s lifecycle.

The Cyber Security team must:

ensure new projects comply with relevant cyber security standards
review design and architecture documentation
ensure appropriate security testing activities have been completed before go-live.

Refer to Technology cyber security assessment for more information.

All staff initiating or managing projects, initiatives or activities with an AI component, must be reviewed by the AI Review Service and gain AI Executive Leadership Group approval before proceeding. This aligns with mandatory reporting according to the NSW AI Assurance Framework and the National Framework for AI in Schools.

The AI Review Service and AI Executive Leadership Group can be contacted at AI.ELG@det.nsw.edu.au.

3.5 Manage student data in online applications

Student data refers to any data the department possesses or controls that relates to or concerns current, past or future students from any education setting.

All staff managing student data must obtain parental or carer consent, where appropriate, for using online applications (Table 1), as outlined below.

Parent or carer consent for online applications

Table 1 Consent needed by online application

Core applications	Approved applications	Other applications
Core applications are provided to schools by the department free of charge. Core applications include Microsoft Office 365, Google Workspace, Adobe Creative Cloud and Zoom. These applications have been assessed by the department and do not require parental or carer consent for their use in schools.	Approved applications are those listed on the Online Learning Tools Marketplace and Administration Marketplace Panel for Schools. These applications have been assessed by the department and do not require parental or carer consent for their use in schools.	Applications not listed as a core or approved application require a cyber security assessment before being used, to ensure they are safe for staff and student use. It Is strongly recommended that all staff consider using core or approved applications where they may satisfy the same purpose as a non-approved application. Staff can request cyber security assessments be conducted by the Cyber Security team or can perform their own. All applications falling within this category require informed parental or carer consent be obtained for their use. The Cyber Security team have developed the AssessedIT tool to enable schools to review the results of assessments conducted by the Cyber Security team and generate consent forms with the required information. For information on how to request or perform a cyber security assessment, refer to Online software applications and parental consent.

Core applications

Approved applications

Other applications

Core applications are provided to schools by the department free of charge.

Core applications include Microsoft Office 365, Google Workspace, Adobe Creative Cloud and Zoom.

These applications have been assessed by the department and do not require parental or carer consent for their use in schools.

Approved applications are those listed on the Online Learning Tools Marketplace and Administration Marketplace Panel for Schools.

These applications have been assessed by the department and do not require parental or carer consent for their use in schools.

Applications not listed as a core or approved application require a cyber security assessment before being used, to ensure they are safe for staff and student use.

It Is strongly recommended that all staff consider using core or approved applications where they may satisfy the same purpose as a non-approved application.

Staff can request cyber security assessments be conducted by the Cyber Security team or can perform their own.

All applications falling within this category require informed parental or carer consent be obtained for their use.

The Cyber Security team have developed the AssessedIT tool to enable schools to review the results of assessments conducted by the Cyber Security team and generate consent forms with the required information.

For information on how to request or perform a cyber security assessment, refer to Online software applications and parental consent.

While consent does not need to be obtained for the use of core and approved applications, it is best practice to inform parents of their use.

4. Build resilience and report cyber security incidents

The department works to improve its resilience, including its ability to rapidly detect cyber incidents and respond appropriately, through its Cyber Incident Response Plan.

A cyber security incident is any event that threatens or has compromised, the security of the department’s digital devices, services.

All staff must contribute to this plan by reporting any known or suspected cyber security incidents or data breaches.

4.1 The department maintains a cyber incident response plan

Effective cyber security relies on early notification of recognised vulnerabilities and threats. The Chief Information Security Officer (CISO) must report cyber incidents to the department’s executive and Cyber Security NSW as outlined below.

The cyber incident response plan

The Chief Information Security Officer (CISO) must report cyber incidents to the department’s executive and Cyber Security NSW in alignment with:

severity definitions (refer to Cyber Security NSW glossary)
the department's Cyber Incident Response Plan.

The Cyber Security team must develop, maintain, review and complete performance analysis of the Cyber Incident Response Plan as part of continual improvement.

The department's Cyber Incident Response Plan:

complies with the NSW Cyber Security policy
describes the processes, responsibilities, and tools used by incident response staff, executive staff and other relevant risk management branches for responding to cyber incidents beyond business as usual events in the department
integrates with the department’s Major Incident Management Process and the NSW Government Cyber Incident Response Plan
is exercised annually in line with NSW Cyber Security policy requirements by simulating cyber incident scenarios to test its effectiveness as well as the coordination of operational and executive response.

The Director, Cyber Security Operations must manage and coordinate the response to cyber security incidents, changing threats, and vulnerabilities.

4.2 Report cyber incidents and events

All staff must report any known or suspected cyber incidents and events promptly to both:

their principal or manager
the Cyber Security team via EDConnect on 1300 32 32 32.

Reporting incidents and events

A cyber security incident is defined as any event that threatens or has compromised, the security of the department’s digital devices or services. Refer to Reporting a security incident for more information about what you may need to report and how.

All staff must also:

cooperate with the Cyber Security team to investigate, analyse and respond to cyber incidents
consider whether a data breach has occurred when reporting an incident or event. Any data breach has additional reporting requirements in line with the Data breach response plan.

Asset support staff must monitor and respond to cyber security incidents and events.

Data breaches

A data breach occurs where personal, health, commercially sensitive or confidential information held by the department is accessed or disclosed without authorisation or is lost.

Control failures, external events, or the accidental or malicious actions of individuals may result in breaches of the confidentiality, integrity or availability of the department’s information.

Cyber incidents or events differ from data breaches in that they include all types of unauthorised IT activities which may, or may not, result in a data breach.

Supporting tools, resources and related information

Supporting tools and resources

An in-depth list of governance roles and responsibilities has been developed to align with the NSW Cyber Security Policy. For more information, refer to Policies, strategies and standards, the Cyber Security Responsibilities (PDF 198 KB) matrix.
All staff must additionally comply with the department’s Cyber security standards to manage the security of assets such as staff and student health, personal and other sensitive information. These standards are aligned with industry best-practice and the department’s cyber risk profile.
Cyber Security Strategy (refer to Policies, strategies and standards)
National Institute of Standards and Technology (NIST) Cybersecurity Framework
Essential Eight
Mandatory cyber security training (refer to Professional learning)
ICT contract requirements
AssessedIT
Information Security Management System (ISMS)
ISO/IEC 27001 – ISMS Requirements
ISO/IEC 27002 – ISMS Controls
Technology cyber security assessment
Online Learning Tools Marketplace
Administration Marketplace Panel for Schools
Online software applications and parental consent
Incident severity definitions (refer to Cyber Security NSW glossary)
Reporting a security incident
Data breach response plan

Related information

The Cyber security policy is guided and supported by the following:

NSW Cyber Security policy

NSW State Records Act 1998

NSW Privacy and Personal Information Protection Act 1998

NSW Health Records and Information Privacy Act 2002

NSW Workplace Surveillance Act 2005

NSW Government Information Classification, Labelling and Handling Guidelines

Code of conduct policy

Enterprise data policy

Business continuity management policy

Privacy Management Plan (PDF 643 KB)

Privacy Code of Practice (PDF 361 KB)

Digital devices, services and information – staff use policy

Payment Card Industry Data Security Standard

Cyber Security Strategy (refer to Policies, strategies and standards)

Enterprise Risk Management Framework (PDF 1235 KB)

Cyber Security Standards (refer to Policies, strategies and standards)

Contact

Cyber Security Team
1300 32 32 32 (option 5)
CyberSupport@det.nsw.edu.au

Monitoring the policy

The Chief Information Security Officer monitors the implementation of this procedure, regularly reviews its contents to ensure relevance and accuracy, and updates it as needed.