These procedures relate to the Cyber security policy.

The Secretary:

• ensures the department complies with the requirements of the NSW Cyber Security Policy and timely reporting on compliance with the policy
• appoints appropriate senior executive officers and a governance committee to oversee and implement the department’s obligations under the NSW Cyber Security Policy
• ensures the department implements and maintains an effective cyber security plan
• determines the department’s risk appetite (refer to the Enterprise risk management Toolkit [staff only]) using the approved whole-of-government Internal Audit and Risk Management Policy (refer to NSW Treasury’s Internal audit and risk management)
• signs off on any mandatory requirements under the NSW Cyber Security Policy that have been assessed as not met or partially met in the assurance assessment submitted to Cyber Security NSW.

The Chief Operating Officer (COO):

• supports the department’s cyber security strategy and plan.

The Chief Data Officer (CDO):

• supports the department’s cyber security strategy and plan.

The Chief Information Officer (CIO):

• oversees and implements the department’s Cyber security policy and sets the strategic direction for the Cyber Security team in alignment with organisational goals
• establishes department cyber security programs and plans, and appropriately funds, resources, prioritises and supports department cyber security initiatives, including training and awareness and continual improvement initiatives
• supports the department’s cyber security strategy and plan
• allocates funding and resources to develop, implement and maintain an Information Security Management System (staff only)
• enables industry best practice for identifying assets, assessing risk and applying appropriate controls within the department’s scope
• determines the scope of CIO and COO responsibilities for cyber security relating to assets such as information, building management systems
• assists the Director, Cyber Security with their responsibilities
• ensures a secure-by-design approach for new initiatives and upgrades to department systems.

Chief Audit Executive:

• conducts systematic and periodic checks to ensure the effective implementation and operation of the department's Information Security Management System (ISMS), including its adherence to the NSW Cyber Security Policy
• validates that the cyber security strategy and plan (or similar document) meets the department’s goals and objectives, and ensures the plan supports the agency’s cyber security strategy
• reviews the department’s adherence to the NSW Cyber Security Policy and cyber security controls
• provides assurance regarding the effectiveness of cyber security controls
• reports the results of audit and assurance activities to the Audit and Risk Committee and the Secretary, as required.

The Chief Risk Officer:

• ensures cyber risk frameworks align with the Enterprise Risk Management Framework (refer to Policy and framework [staff only]) and are applied when assessing cyber security risks and setting the department’s risk appetite.

The Director, Cyber Security:

• ensures compliance with the NSW Cyber Security Policy and supports the department to develop, implement and maintain an effective cyber security strategy and program (for example, via effective collaboration and governance forums or advice on budgeting and resourcing) aligns cyber security with organisational goals and objectives
• submits a compliance report to Cyber Security NSW each year (by 31 October)
• provides guidance on cyber security risks introduced from business and operational change
• ensures appropriate risk treatment strategies are in place for identified risks that fall outside the acceptable risk tolerance
• approves the Information Security Management System (ISMS) and
  • allocates resources for its function and manages the budget and funding for the cyber security program
  • endorses or approves policies, procedures, practices and tools to ensure compliance with the NSW Cyber Security Policy
  • implements and executes controls to mitigate risks
  • reviews and provides recommendations on any exemptions to department information security policies and standards
  • ensures the ISMS achieves its intended outcomes
  • measures the performance of the ISMS and reports to the CIO
  • reports on the performance of the ISMS to the department’s executive
• develops a cyber security strategy, architecture and risk management process that incorporates these with the department’s Enterprise management policy and Enterprise risk management framework (staff only)
• investigates, responds to and reports cyber incidents to the department’s executive and Cyber Security NSW in alignment with
  • Cyber Security NSW severity definitions (refer to Cyber Security NSW glossary)
  • the department's Cyber Incident Response Plan.
• coordinates the implementation and day-to-day operation of the ISMS Framework and ensures the ISMS meets the required international standards
• develops and maintains cyber security standards, procedures and guidelines
• manages the life cycle of cyber security platforms including design, deployment, ongoing operation, and decommissioning
• ensures appropriate management of the availability, capacity and performance of cyber security hardware and applications
• provides input and support to regulatory compliance and assurance activities and manages any resultant remedial activity
• implements cyber security directives issued by NSW Government
• acts as a focal point within the department for all matters related to information management required to support cyber security
• escalates and reports cyber incidents that involve information damage or loss to the Legal Services directorate
• manages the life cycle of cyber security platforms, including design, deployment, ongoing operation and decommissioning
• ensures that privacy considerations are integrated into the department's cyber security policies, procedures and processes
• ensures all staff, including consultants, contractors and outsourced service providers, understand the cyber security requirements of their roles
• coordinates cyber security risk assessments across ISMS assets and third-party vendors that send or receive ISMS asset data, and ensures identified risks are managed to an acceptable level
• in accordance with the ITD Contract Management Framework (staff only), ensures third-party ICT service providers
  • understand and comply with the department’s cyber security requirements
  • operate within the department’s information security requirements (refer to ICT contract requirements [staff only]) and participate in security and performance reviews as required
• manages and coordinates the response to cyber security incidents, changing threats and vulnerabilities.

The Cyber Security Working Group:

• is a consultative forum that contributes and consults on key compliance activities
• promotes a cyber-safe culture across the organisation, to ensure cyber security is understood as a shared responsibility
• promotes cyber safety practices and secure-by-design principles in all schools and education support settings.

The Audit and Risk Committee (ARC):

• provides independent expert advice on the agency’s governance, risk management and control frameworks, as well as its external accountability obligations.

The Cyber Security team:

• investigates and responds to cyber security incidents
• develops, implements and maintains the department’s cyber security plan
• prepares a compliance report for Cyber Security NSW annually
• develops, maintains and implements mandatory cyber security training for all employees, regardless of their role or level of access, to gain the appropriate knowledge to protect sensitive information and mitigate potential risks
• develops and provides access to cyber security awareness materials and resources
• encourages the reporting of cyber security risks by all staff
• develops and shares information about using department devices, systems, and information properly and securely
• establishes and enforces appropriate access controls and security screening procedures for staff granted access to department devices, systems and information
• implements the Information Security Management System (ISMS) with operational and administrative support, advice and governance from the Director, Cyber Security
• when ICT projects are initiated
  • reviews the project and its compliance against relevant security standards and secure-by-design principles
  • reviews design and architecture documentation
• develops, maintains, reviews and completes performance analysis of the Cyber Incident Response Plan as part of continual improvement.

The Safe Artificial Intelligence (AI) team:

• ensures new projects, initiatives or activities comply with the NSW AI Assessment Framework and the National Framework for Generative AI in schools
• reviews the safety and ethical components of an AI project, initiative or activity before go-live.

Legal Services

• ensures that privacy considerations are integrated into the agency's overall cyber security policies, procedures and processes
• collaborates with the Cyber Security team in incident response planning
• coordinates the investigation of privacy incidents, determining the extent of the breach and coordinating notifications to affected individuals and regulatory authorities.

System business owners and service owners:

• cooperate and collaborate with the Cyber Security team in the preparation of the annual maturity report and other compliance activities as required
• communicate information security matters and requirements to technology support staff and information users
• with the assistance of asset support staff, develop and implement technical information security safeguards to manage identified risks.

Information Security Management System (ISMS) asset support staff:

• work in collaboration with the Cyber Security team to ensure the department’s information security management practices are continuously improved in line with NSW Government requirements
• monitor and respond to cyber security incidents and events
• report cyber security incidents to the Cyber Security team.

All principals and managers:

• ensure staff remain compliant with mandatory training requirements
• ensure the Cyber security policy and applicable policies, standards and procedures are effectively communicated and implemented throughout all schools and education support areas
• identify and report cyber threats
• communicate information security matters to technology support staff and information users
• collaborate with ITD staff to manage security requirements for their systems.

All staff (including contingent workers and third-party contractors):

• contribute to the department’s cyber security culture by exercising a duty of care to protect the department’s system and information, participating in mandatory cyber security training and reporting all known or suspected cyber security risks
• complete mandatory training (refer to Professional learning [staff only]). Training is available through the department’s professional learning platform)
• comply with the Cyber security policy and other applicable policies, standards and procedures for using department devices, systems, and information properly and securely
• use digital devices provided by the department for official purposes only and exercise a duty of care to protect the department’s digital systems and information
• apply the same duty of care when using a personal device to access department systems and information. Additional actions as required under the Digital devices, services and information - staff use policy ensure these devices remain secure
• report any known or suspected cyber security risks to the appropriate risk and control owners within schools and business units through the department’s Cyber Incident Response Plan
• cooperate with relevant Cyber Security and Chief Risk Office staff to manage identified risks in line with the department’s risk appetite
• be aware of and have access to the department’s Enterprise management policy and Enterprise risk management framework (staff only) to support risk-informed decision-making
• when initiating ICT projects or activities where department data is being transmitted or received, consult the Cyber Security team throughout the project’s lifecycle
• when initiating or managing projects, initiatives or activities with an AI component, engage the Safe AI team before commencement and throughout the project’s lifecycle
• when managing student data, obtain parental or carer consent for the use of online applications where appropriate, as outlined in this procedure
• consider whether a data breach has occurred when reporting an incident or event. Any data breach has additional reporting requirements in line with the Data breach response plan (staff only)
• comply with the department’s Cyber security standards (refer to Policies, strategies and standards [staff only]) to manage the security of assets such as staff and student health, personal and other sensitive information.

Any company with a current ProcureIT, Core&, ICTA or MICTA contract, or any other current contract signed with the department:

• annually completes their in-house cyber awareness training
• incorporates information security requirements into new and continuing procurement of information and communications technology (ICT) and digital goods and services contracts. This includes ensuring that contract requirements are complied with
• participates in security reviews according to their contractual obligations.

The NSW Cyber Security Policy guides the requirements for the department’s roles and responsibilities for cyber security. For a full list of assigned responsibilities, refer to the Cyber Security Responsibilities (staff only) (PDF 198 KB) matrix.

The Secretary must appoint:

• the Chief Information Officer who must oversee and implement the department’s Cyber Security policy, set the strategic direction for the Cyber Security team, establish department cyber security programs and plans, and appropriately resource and support department cyber security initiatives, including training and awareness and continual improvement initiatives
• the Director, Cyber Security, who must ensure compliance with the NSW Cyber Security Policy and support the department to implement and maintain an effective cyber security strategy and program
• a governance committee, the Audit and Risk Committee, which provides independent advice and support to the Secretary regarding the department's governance, risk and internal control frameworks as well as external accountability obligations. The committee’s function, tenure and composition is detailed in the charter for the Audit and Risk Committee (staff only)
• a consultative forum, the Cyber Security Working Group, which contributes and consults on key compliance activities.

The department’s cyber security strategy (refer to Policies, strategies and standards [staff only]) is based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework and aligns with the NSW Cyber Security Policy and the Australian Cyber Security Centre’s Essential Eight. The strategy:

• aligns with the department's strategic business objectives and business continuity procedures
• includes consideration of threats, risks and vulnerabilities that impact the protection of the department’s digital systems and information within the department’s cyber security risk tolerance
• outlines the department’s goals, initiatives and general approach to uplift cyber security capabilities and build resilience across the department.

The Director, Cyber Security ensures the Cyber Security team defines and implements a cyber security plan. The plan considers current cyber security threats, risks and vulnerabilities and outlines actions and initiatives to make improvements and address any gaps in the department's information security practices. The plan is supported by relevant members of the department's executive.

The department's cyber security plan consists of the:

• Cyber Security Strategy (staff only) (PDF 3.3 MB) (refer to Policies, strategies and standards [staff only])
• Cyber Uplift Program Plan.

All staff must comply with the Cyber security policy and other applicable policies, standards and procedures for using department devices, systems and information properly and securely, including:

• Code of ethics and conduct procedure
• Digital devices, services and information – staff use policy
• Technology in schools policy
• Cyber security standards (refer to Polices, strategies and standards [staff only]).

All principals and managers must also ensure the Cyber security policy and applicable policies, standards and procedures are effectively communicated and implemented throughout all schools and education support areas.

Action by staff that goes against these practices is deemed unacceptable use and may be subject to disciplinary action.

The department must implement all mandatory cyber security requirements issued by the NSW Government, ensuring alignment with relevant policies, frameworks and directives. These requirements form part of the broader administrative requirements that provide whole-of-government direction to standardise and enhance governance and performance outcomes.

The Director, Cyber Security ensures that the Cyber Security team develops and updates policies and procedures to comply with these directives.

All staff must comply with these directives and integrate them into their work practices to maintain the security and integrity of government information and systems.

The Cyber Security team prepares the report using the template provided by Cyber Security NSW, which must provide assurance of the department’s compliance with the NSW Cyber Security Policy, including:

• an assurance assessment against all mandatory requirements in the NSW Cyber Security Policy for the previous financial year
• a list of cyber security risks with a residual rating of high or extreme and a list of the department’s ‘Crown Jewels’
• the Secretary’s formal sign-off on any mandatory requirements that have been assessed as not met or partially met during the assurance assessment.

Service owners, as well as other relevant stakeholders across the department, must cooperate with the Cyber Security team throughout this process.

The Chief Information Officer (CIO) must appropriately fund, resource, prioritise and support the department's cyber security initiatives, including training and awareness, and continual improvement initiatives to support the NSW Cyber Security Policy.

The CIO must also:

• align cyber security with organisational goals and objectives in collaboration with the Director, Cyber Security
• determine the scope of CIO and Chief Operating Officer responsibilities for cyber security relating to assets such as information and building management systems
• ensure a secure-by-design approach for new initiatives and upgrades to existing department systems, including legacy systems
• ensure all staff and providers understand their role in building and maintain secure systems in collaboration with the Director, Cyber Security
• report results of audit and assurance to the Audit and Risk Committee.

The Director, Cyber Security, in collaboration with the Cyber Security team, must develop and implement the ISMS. The director must also:

• provide day-to-day management and oversight of operational delivery
• provide guidance on cyber security risks introduced from business and operational change
• manage the life cycle of cyber security platforms, including design, deployment, ongoing operation and decommissioning
• implement and execute controls to mitigate risks
• ensure appropriate management of the availability, capacity and performance of cyber security hardware and applications
• provide input and support to regulatory compliance and assurance activities and manage any resultant remedial activity
• ensure all staff, including consultants, contractors and outsources service providers, understand the cyber security requirements of their roles
• ensure privacy considerations are integrated with cyber security policies, procedures and processes
• act as a focal point within the department for all matters related to information management required to support cyber security
• develop a metrics and assurance framework to measure the effectiveness of controls and report findings to the Chief Information Officer
• manage the cyber security budget and ensure that resources are allocated to address cyber security needs and risks
• implement policies, procedures, practices and tools to ensure compliance with the NSW Cyber Security Policy
• review and provide recommendations on any exemptions to department information security policies and standards
• ensure the ISMS achieves its intended outcomes
• report on the performance of the ISMS to the department’s executive.

Service owners of ISMS assets and asset support staff must support the system’s implementation in collaboration with the Cyber Security team.

The Audit directorate works with the Cyber Security team to validate the effectiveness of the department's cyber security controls. The Audit directorate must:

• conduct systematic and periodic checks to ensure the effective implementation and operation of the department's ISMS, including its adherence to the NSW Cyber Security Policy
• regularly review the department's adherence to the NSW Cyber Security Policy and cyber security controls
• provide assurance regarding the effectiveness of cyber security controls.

The department operates a threat-driven, risk-informed approach to managing cyber security risks. At an enterprise governance level:

• the Secretary, in consultation with the Chief Risk Officer, must determine the department’s risk appetite (refer to Toolkit [staff only]) using the approved whole-of-government Internal Audit and Risk Management Policy (refer to NSW Treasury’s Internal audit and risk management), defining how much and what type of risk the department is willing to take on to achieve its objectives
• the Chief Risk Office must ensure cyber risk frameworks align with the Enterprise risk management framework (staff only) and are applied when assessing cyber security risks and setting the department’s risk appetite
• the Director, Cyber Security must develop a cyber security strategy, architecture and risk management process that incorporates with the department’s current Enterprise risk management framework.

The Director, Cyber Security is responsible for:

• conducting risk assessments to identify and evaluate potential cyber security threats and vulnerabilities
• ensuring processes are developed and implemented to identify and manage risks related to internal assets and third-party service provider risks
• ensuring appropriate risk treatment strategies are in place for identified risks that fall outside the acceptable risk tolerance
• ensuring unmitigated cyber risks outside of the department’s risk appetite are escalated in line with the Enterprise risk management framework (staff only)

As part of this, service owners, with the assistance of asset support staff, must develop and implement technical information security safeguards to manage identified risks.

To effectively manage cyber risk, all staff must:

• report identified cyber security risks to the appropriate risk and control owners within schools and business units (this may be to a manager, principal, or other delegated staff member – refer to Reporting a security incident [staff only] for more information)
• cooperate with relevant Cyber Security and Chief Risk Office staff to manage identified risks
• be aware of and have access to the department’s Enterprise management policy and Enterprise risk management framework (staff only) to support risk-informed decision-making.

All principals and managers who own and control risk, including business owners and service owners, must (in line with the Enterprise management policy and Enterprise risk management framework:

• identify cyber threats and rate the likelihood and consequences should those threats be realised
• communicate information security matters to technology support staff and information users
• collaborate with ITD staff to manage security requirements for their systems.

The Director, Cyber Security must work with contract managers and Procurement to ensure third-party ICT service providers understand and comply with the department’s cyber security requirements. This includes:

• enforcing compliance with the department’s ICT contract requirements (staff only)
• conducting security and performance reviews as required
• establishing contractual obligations for third-party providers to notify the agency of security incidents or data breaches
• conducting regular assessments of third-party providers for adherence to cyber security requirements through audits, assurance reports, or other evaluations
• managing third-party risks in accordance with defined risk-based tolerances, including enforcing contractual provisions for addressing non-compliance, such as break clauses where necessary.

The Director, Cyber Security (in collaboration with the Cyber Security team) is responsible for developing and maintaining the department's Cyber Incident Response Plan. The department's plan:

• complies with the NSW Cyber Security Policy
• describes the processes, responsibilities, workflows and tools used by incident response staff, executive staff and other relevant risk management branches for responding to cyber incidents beyond business-as-usual events in the department
• integrates with the department’s Major Incident Management Process and the NSW Government Cyber Incident Response Plan
• integrates with the department’s Data breach response plan (staff only) and procedure
• is exercised annually in line with NSW Cyber Security Policy requirements by simulating cyber incident scenarios to test its effectiveness as well as the coordination of operational and executive response.

The Cyber Security team must develop, maintain, review and complete post-incident and post-exercise performance analysis of the Cyber Incident Response Plan as part of continual improvement.

The Director, Cyber Security must manage and coordinate the response to cyber security incidents, changing threats, and vulnerabilities. All incidents are documented as part of the Cyber Incident Register.

A cyber security incident is defined as any event that threatens or has compromised, the security of the department’s digital devices or services.

All staff must promptly report any known or suspected cyber incidents, events and threats to both:

• their principal or manager
• the Cyber Security team via EDConnect on 1300 32 32 32.

Refer to Reporting a security incident (staff only) for more information about what you may need to report and how.

All staff must also:

• cooperate with the Cyber Security team to investigate, analyse and respond to cyber incidents
• consider whether a data breach has occurred when reporting an incident or event. Any data breach has additional reporting requirements in line with the Data breach response plan (staff only).

Asset support staff must monitor and respond to cyber security incidents and events.

PSSE staff must lead implementation of secure cyber practices in their teams or schools by:

• ensuring staff follow secure workplace practices including using strong and unique passwords and not using departmental email for personal business. Refer to the Digital devices, services and information – staff use policy for more information
• setting secure information storing and sharing practices. Refer to Protecting personal information (staff only) for more information.

The Cyber Security team must:

• develop, maintain and implement mandatory cyber security and data breach training to help all new staff gain the appropriate knowledge of evolving cyber security threats, data breach reporting responsibility and secure workplace practices
• share information about using department devices, systems, and information properly and securely
• conduct phishing simulations to test department security policies and practices, and uplift staff capabilities to recognise and report phishing emails.

Principals and managers must ensure staff remain compliant with mandatory training requirements by monitoring completion through SCOUT compliance reports. Further information on compliance reports can be found below.

• For school staff: Staff Compliance (staff only)
• For education support staff: Education Support Staff (ESS) Staff Compliance report

All staff, including contingent workers and third-party contractors, must contribute to the department’s cyber security culture by:

• protecting the department’s systems and information
• participating in mandatory cyber security training on induction and complete the Annual Competency Check annually. Refer to Cyber Safety's Professional learning (staff only) for a list of mandatory cyber security training courses
• keeping up to date with cyber security awareness and advice
• reporting phishing emails and all suspected cyber security risks.

Outsourced ICT service providers must also annually complete their in-house cyber awareness training and may be required to provide evidence of completion to the department’s contract manager. Refer to ICT contract requirements (staff only) for more information.

• An in-depth list of governance roles and responsibilities has been developed to align with the NSW Cyber Security Policy. For more information, refer to Policies, strategies and standards (staff only) and the Cyber Security Responsibilities (staff only) (PDF 198 KB) matrix.
• Cyber Security Strategy (refer to Policies, strategies and standards [staff only])
• National Institute of Standards and Technology (NIST) Cybersecurity Framework
• Australian Cyber Security Centre’s Essential Eight
• Mandatory cyber security training (refer to Professional learning [staff only])
• ICT contract requirements (staff only)
• AssessedIT (staff only)
• Information Security Management System (staff only)
• ISO/IEC 27001 Information security management systems – Requirements
• ISO/IEC 27002 Information security controls
• Technology cyber security assessment (staff only)
• Online Learning Tools Marketplace (staff only)
• Administration Marketplace Panel for Schools (staff only)
• Online software applications and parental consent (staff only)
• Incident severity definitions (refer to Cyber Security NSW glossary)
• Reporting a security incident (staff only)
• Data breach response plan (staff only)

The Cyber security policy is guided and supported by the following:

• NSW Cyber Security Policy
• NSW State Records Act 1998 (NSW)
• NSW Privacy and Personal Information Protection Act 1998 (NSW)
• NSW Health Records and Information Privacy Act 2002 (NSW)
• NSW Workplace Surveillance Act 2005 (NSW)
• NSW Government Information Classification, Labelling and Handling Guidelines
• Code of ethics and conduct procedure
• Enterprise data standards
• Resilience and business continuity management procedures (staff only)
• Privacy Management Plan for Department of Education (PDF 643 KB)
• Privacy Code of Practice: Department of Education (PDF 361 KB)
• Digital devices, services and information – staff use policy
• Payment Card Industry Data Security Standard guidelines (staff only)
• Cyber Security strategy and standards (refer to Policies, strategies and standards [staff only])
• Enterprise Risk Management Framework (staff only)