Cyber security procedures

Direction and guidance on securing the department’s digital devices, services and information to enable staff and students to work and learn in a safe digital environment. Understand employee responsibilities in maintaining security and protecting the confidentiality, integrity and availability of information in line with the department’s Cyber security policy.

Audience

All staff in schools and education support settings, including contractors, and any parties that access or use the department’s digital devices, services, and information.

Version Date Description of changes Approved by
V01.1.0 02/08/2024

Re-allocation of Chief Information Security Officer (CISO) responsibilities to the Chief Information Officer (CIO) and Director, Security

Chief Information Officer

V01.0.0 13/05/2024 Under the 2023 Policy and procedure review program, new policy document developed. Chief Information Security Officer

About the policy

These procedures relate to the Cyber security policy.

Term Definition

Audit and Risk Committee (ARC)

Provides independent advice and support to the Secretary regarding the department's governance, risk and internal control frameworks as well as external accountability obligations. The responsibilities of the committee include seeking assurance around, and conducting a review of, key areas:

  • risk management
  • governance and accountability
  • external accountability
  • compliance and ethics
  • internal audit
  • external audit.

Business owner

Owns the application from the business side. They are responsible for:

  • the business functions that rely on the IT assets, including the applications and services
  • ensuring that IT assets meet the needs of the business, and that they are used in line with relevant policies and regulations.

Cyber incident

An occurrence or activity that threatens or has compromised the confidentiality, integrity or availability of a system or the information stored, processed or communicated by it. This includes the security of the department’s digital devices, systems and information, information and communications technology (ICT) infrastructure or personal information held by the department.

Cyber Security team

The team within the Information Technology Directorate that manages the day-to-day cyber functions within the department.

Cyber Security Working Group

A monthly consultative forum that supports the department in complying with mandatory requirements under the NSW Cyber Security policy. The Director, Cyber Security chairs the forum, which is made up of executive representatives from across the department.

Data breach

This occurs when personal, health, commercially sensitive or otherwise confidential information held by the department is accessed or disclosed without authorisation or is lost.

Data or department data

A collection of organised items. This may consist of numbers, words, or images, particularly as measurements or observations of a set of variables.

Department data refers to all data gathered, communicated, managed or used by the NSW Department of Education.

Digital devices

Electronic devices that can receive, store, process and share digital information and connect to applications (apps), websites and other online services. They include desktop computers, laptops, tablets, smartwatches, smartphones and other devices.

Health information

Personal information relating to or collected in providing for a person’s physical or mental health, health services and donations, genetic information and other health care identifiers. Examples include, but are not limited to:

  • personal information provided to any health organisation
  • a health service already provided to a staff member or student
  • a health service that is going to be provided
  • a health service a staff member or student has asked to be provided
  • some genetic information about a staff member or student, their relatives or descendants.

Information

Any communication or representation of knowledge such as facts, data, or opinions in any medium or form.

Information security management system (ISMS)

The policies, procedures, guidelines and associated resources and activities, collectively managed by an organisation in the pursuit of protecting its information assets. A systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organisation’s information security to achieve business objectives (ISO/IEC 27000:2018).

ISMS Framework

Outlines the scope and operation of the department’s ISMS, allows the department to measure its performance against the objectives of its cyber security plan, and is provided to Cyber Security NSW each year as evidence of compliance.

ITD

Information Technology Directorate.

Personal information

Information or an opinion (including information or an opinion forming part of a database, whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. Examples include, but are not limited to:

  • a written record that may include a person’s name, address and other details
  • photographs, images, video or audio footage
  • fingerprints, retina prints, body samples or genetic characteristics.

Risk appetite

The amount and type of risk the department is willing to undertake to achieve its strategic objectives in line with our Enterprise risk management policy.

Risk informed

A decision-making process where information about potential risks and their consequences is used to make decisions.

Sensitive information

This includes:

  • personal information
  • health information
  • information that could be subject to legal privilege
  • commercial-in-confidence information
  • law enforcement information
  • NSW Cabinet information
  • National Cabinet information.

The NSW Government collects, stores and manages sensitive information as a part of normal business processes.

Service owner

Responsible for developing, procuring, integrating, modifying, operating, maintaining, and final disposal of an information system.

System

Any application or ICT configuration item that stores, transmits, creates or uses information.

The Secretary:

  • appoints appropriate senior executive officers and a governance committee to oversee and implement the department’s obligations under the NSW Cyber Security policy
  • ensures the department implements and maintains an effective cyber security plan
  • determines the department’s risk appetite (refer to the Enterprise risk management Toolkit) using the approved whole-of-government Internal Audit and Risk Management Policy, (refer to NSW Treasury’s Internal audit and risk management) defining how much and what type of risk the department is willing to take on to achieve its objectives.

The Chief Operating Officer (COO):

  • supports the department’s cyber security plan.

The Chief Data Officer (CDO):

  • supports the department’s cyber security plan.

The Chief Information Officer (CIO):

  • oversees and implements the department’s Cyber security policy, sets the strategic direction for the Cyber Security team, establishes department cyber security programs and plans, and appropriately resources and supports department cyber security initiatives, including training and awareness and continual improvement initiatives
  • supports the department’s cyber security plan
  • allocates funding and resources to develop, implement, and maintain an Information Security Management System (ISMS)
  • enables industry best practice for identifying assets, assessing risk and applying appropriate controls within the department’s scope
  • determines the scope of CIO and COO responsibilities for cyber security relating to assets such as information, building management systems and industrial automation and control systems
  • ensures a secure-by-design approach for new initiatives and upgrades to department systems.

The Director, Cyber Security:

  • ensures compliance with the NSW Cyber Security policy and supports the department to implement and maintain an effective cyber security program and plan including via effective collaboration and governance forums
  • ensures the Cyber Security team develops, implements, and maintains the plan
  • submits a maturity report to Cyber Security NSW each year (by 31 October)
  • approves the Information Security Management System (ISMS) and
    • allocates resources for its function and manages the budget and funding for the cyber security program
    • endorses or approves policies, procedures, practices and tools to ensure compliance with the NSW Cyber Security policy
    • assesses and provides recommendations on any exemptions to department cyber security policies and standards
    • ensures the ISMS achieves its intended outcomes
    • measures the performance of the ISMS and reports to the CIO
    • reports on the performance of the ISMS to the department’s executive
  • develops a cyber security strategy, architecture and risk management process that incorporates these with the department’s current Enterprise risk management policy and framework
  • reports cyber incidents to the department’s executive and Cyber Security NSW in alignment with
  • coordinates the implementation and day-to-day operation of the Information Security Management System (ISMS) Framework and ensures the ISMS meets the required international standards
  • develops and maintains cyber security standards, procedures and guidelines
  • manages the life cycle of cyber security platforms including design, deployment, ongoing operation, and decommissioning
  • ensures appropriate management of the availability, capacity and performance of cyber security hardware and applications
  • provides input and support to regulatory compliance and assurance activities and manages any resultant remedial activity
  • acts as a focal point within the department for all matters related to information management required to support cyber security
  • escalate and report cyber incidents that involve information damage or loss to the Legal Services directorate
  • coordinates cyber security risk assessments across ISMS assets and third-party vendors that send or receive ISMS asset data, and ensures identified risks are managed to an acceptable level
  • in accordance with the ITD Contract Management Framework, ensures third-party ICT service providers
    • understand and comply with the department’s cyber security requirements
    • operate within the department’s information security requirements (refer to ICT contract requirements) and participate in security and performance reviews as required
  • manages and coordinates the response to cyber security incidents, changing threats, and vulnerabilities.

The Cyber Security Working Group:

  • is a consultative forum that contributes and consults on key compliance activities
  • promotes a cyber-safe culture across the organisation, to ensure cyber security is understood as a shared responsibility
  • promotes cyber safety practices and the importance of following the associated standards and procedures in all schools and education support settings.

The Audit and Risk Committee (ARC):

  • governs key compliance activities.

The Cyber Security team:

  • develops, implements, and maintains the department’s cyber security plan
  • prepares the maturity report for Cyber Security NSW each year
  • develops, maintains, and implements mandatory cyber security training for all employees, regardless of their role or level of access, to gain the appropriate knowledge to protect sensitive information and mitigate potential risks
  • provides access to mandatory cyber security training to increase awareness
  • encourages the reporting of cyber security risks by all staff
  • shares information about using department devices, systems, and information properly and securely
  • establishes and enforces appropriate access controls and security screening procedures for individuals granted access to department devices, systems, and information
  • in collaboration with relevant executive staff and service owners of ISMS assets –implements the Information Security Management System (ISMS) and develops an ISMS Framework, with operational and administrative support, advice and governance from the Director, Cyber Security
  • when ICT projects are initiated
    • reviews the project and its compliance against relevant security standards
    • reviews design and architecture documentation
  • develops, maintains, reviews and completes performance analysis of the Cyber Incident Response Plan as part of continual improvement.

System business owners and service owners:

  • cooperate with the Cyber Security team during the preparation of the annual maturity report and other compliance activities as required
  • with the assistance of asset support staff, develop and implement technical information security safeguards to manage identified risks.

The Audit directorate:

  • conducts systematic and periodic checks to ensure the effective implementation and operation of the ISMS against the framework.

The Chief Risk Office:

  • ensures cyber risk frameworks align with the Enterprise Risk Management Framework (refer to Policy and framework) and are applied when assessing cyber security risks and setting the department’s risk appetite.

The Manager, IT Audit, Assurance and Risk:

  • coordinates internal audit programs for cyber security
  • coordinates updates to the Enterprise Risk Register.

Asset support staff:

  • work in collaboration with the Cyber Security team to ensure the department’s information security management practices are continuously improved in line with NSW Government requirements
  • monitor and respond to cyber security incidents and events
  • report cyber security incidents to the Cyber Security team.

All principals and managers:

  • ensure staff remain compliant with mandatory training requirements and monitor completion through their SCOUT Compliance reports
  • ensure the Cyber security policy and applicable policies, standards and procedures are effectively communicated and implemented throughout all schools and education support areas
  • identify and report cyber threats
  • communicate information security matters to technology support staff and information users
  • collaborate with ITD staff to manage security requirements for their systems.

All staff (including contingent workers and third-party contractors):

  • contribute to the department’s cyber security culture by exercising a duty of care to protect the department’s system and information, participating in mandatory cyber security training and reporting all known or suspected cyber security risks
  • complete annual mandatory training (refer to Professional learning [staff only]. Training is available through the department’s professional learning platform)
  • comply with the Cyber security policy and other applicable policies, standards and procedures for using department devices, systems, and information properly and securely
  • use digital devices provided by the department for official purposes only and exercise a duty of care to protect the department’s digital systems and information
  • apply the same duty of care when using a personal device to access department systems and information. Additional actions as required under the Digital devices and online services-staff use policy ensure these devices remain secure
  • report any known or suspected cyber security risks to the appropriate risk and control owners within schools and business units through the department’s Cyber Incident Response Plan
  • cooperate with relevant Cyber Security and Chief Risk Office staff to manage identified risks in line with the department’s risk appetite
  • be aware of and have access to the department’s Enterprise risk management policy and framework to support risk-informed decision-making
  • when initiating ICT projects or activities where department data is being transmitted or received, consult the Cyber Security team throughout the project’s lifecycle
  • when initiating or managing projects, initiatives or activities with an AI component, engage the AI Review Service and AI Executive Leadership Group (ELG) for review and approval before proceeding
  • when managing student data, obtain parental or carer consent for the use of online applications where appropriate, as outlined in this procedure
  • consider whether a data breach has occurred when reporting an incident or event. Any data breach has additional reporting requirements in line with the Data breach response plan
  • comply with the department’s Cyber security standards (refer to Policies, strategies and standards) to manage the security of assets such as staff and student health, personal and other sensitive information.

Any company with a current ProcureIT, Core&, ICTA or MICTA contract, or any other current contract signed with the department:

  • annually completes their in-house cyber awareness training
  • incorporates information security requirements into new and continuing procurement of information and communications technology (ICT) and digital goods and services contracts. This includes ensuring that contract requirements are complied with.

What needs to be done

The department must comply with the NSW Cyber Security policy to ensure it appropriately manages cyber security risks to its information. This information is spread across education support and school environments and includes personal, health, confidential and legally privileged information.

The Secretary must ensure the department:

  • maintains secure digital devices, systems and information
  • protects the confidentiality, integrity and availability of information
  • creates a culture of cyber security resilience
  • reports on compliance with the NSW policy.

1. Planning and governance

To ensure appropriate governance and planning, the department must:

  • appoint specific roles and responsibilities to perform cyber security functions
  • develop, implement and maintain a department-wide cyber security plan, which must include the department’s general approach to uplift cyber security capabilities and build resilience
  • annually report to Cyber Security NSW on the department’s cyber security maturity.

1.1 The Secretary allocates roles and responsibilities for cyber security

The Secretary must appoint appropriate senior executive officers and a governance committee to oversee and implement the department’s cyber security obligations.

The NSW Cyber Security policy guides the requirements for the department’s roles and responsibilities for cyber security. For a full list of assigned responsibilities, refer to Policies, strategies and standards, the Cyber Security Responsibilities (PDF 198 KB) matrix.

The Secretary must appoint:

  • the Chief Information Officer who must oversee and implement the department’s Cyber Security policy, set the strategic direction for the Cyber Security team, establish department cyber security programs and plans, and appropriately resource and support department cyber security initiatives, including training and awareness and continual improvement initiatives
  • the Director, Cyber Security who must ensure compliance with the NSW Cyber Security policy and support the department to implement and maintain an effective cyber security program and plan including via effective collaboration and governance forums
  • a governance committee, the Audit and Risk Committee, which governs key compliance activities
  • a consultative forum, the Cyber Security Working Group, which contributes and consults on key compliance activities.

1.2 The Director, Cyber Security develops a cyber security plan

The Director, Cyber Security ensures the Cyber Security team develops, implements, and maintains a cyber security plan.

The cyber security plan consists of the:

The plan is based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework and aligns with the NSW Cyber Security Policy and the Australian Cyber Security Centre’s Essential Eight. The plan must:

  • be integrated with business continuity procedures
  • include consideration of threats, risks and vulnerabilities that impact the protection of the department’s digital systems and information within the department’s cyber security risk tolerance
  • outline the department’s goals, initiatives and general approach to uplift cyber security capabilities and build resilience across the department.

1.3 The Director, Cyber Security reports to Cyber Security NSW

Each year (by 31 October), the Director, Cyber Security must submit a maturity report to Cyber Security NSW.

The Cyber Security team prepares the report using the template provided by Cyber Security NSW, which must provide assurance of the department’s compliance with the NSW Cyber Security policy, including:

  • evidence of its maturity against all mandatory requirements in the NSW Cyber Security Policy and the Australian Cyber Security Centre’s (ACSC) Essential Eight for the previous financial year
  • a list of cyber security risks with a residual rating of high or extreme and a list of the department’s ‘crown jewels’
  • an attestation on cyber security signed off by the Secretary.

Service owners, as well as other relevant stakeholders across the department, must cooperate with the Cyber Security team throughout this process.

2. Build a cyber security culture

The Cyber Security Working Group must promote a cyber-safe culture across the organisation, to ensure cyber security is understood as a shared responsibility.

The Cyber Security team must:

  • provide access to mandatory cyber security training to increase awareness and encourage the reporting of cyber security risks by all staff
  • share information about using department devices, systems, and information properly and securely
  • establish and enforce appropriate access controls and security screening procedures for individuals granted access to department devices, systems, and information.

All staff must contribute to the department’s cyber security culture by:

  • protecting the department’s system and information
  • participating in mandatory cyber security training
  • reporting all known or suspected cyber security risks.

2.1 Complete mandatory training

The Cyber Security team must develop, maintain and implement mandatory cyber security training to help all employees gain the appropriate knowledge to protect sensitive information and mitigate potential risks.

All staff, including contingent workers and third-party contractors, must complete annual mandatory training (refer to Professional learning [staff only]. Training is available through the department’s professional learning platform).

Principals and managers must ensure staff remain compliant with mandatory training requirements by monitoring completion through SCOUT compliance reports. For more information on the compliance reports refer to:

Refer to Cyber safety’s Professional learning for a list of mandatory cyber security training courses.

Outsourced ICT service providers must also annually complete their in-house cyber awareness training and may be required to provide evidence of completion to the department’s contract manager. Refer to ICT contract requirements for more information.

2.2 Practice cyber safety

All staff must comply with the Cyber security policy and other applicable policies, standards and procedures for using department devices, systems and information properly and securely, including:

In particular, staff must comply with the requirements in the Digital devices, services and information – staff use policy when:

  • travelling overseas (for personal or work-related reasons) – refer to section 4 Taking or accessing department digital devices, services and information from overseas’)
  • using department-provided digital devices – use these for official purposes only and protect the department’s digital systems and information
  • using a personal device to access department systems and information – protect the department’s digital systems and information and ensure these devices remain secure.

All principals and managers must also ensure the Cyber security policy and applicable policies, standards and procedures are effectively communicated and implemented throughout all schools and education support areas.

Action by staff that goes against these practices is deemed unacceptable use and may be subject to disciplinary action.

3. Manage cyber security risks

To safeguard and secure its information and systems, the department manages its cyber security risks by:

3.1 Implement and maintain an information security management system

The department must implement and maintain an information security management system (ISMS) and framework, as outlined in this section.

The ISMS framework outlines the scope and operation of the department’s ISMS, allows the department to measure its performance against the objectives of the department’s cyber security plan, and is provided to Cyber Security NSW each year as evidence of compliance (as outlined in 1. Planning and governance).

The Audit directorate must conduct systematic and periodic checks to ensure the system’s effectiveness against the framework.

Service owners of ISMS assets and asset support staff must support the system’s implementation in collaboration with the Cyber security team.

The Chief Information Officer (CIO) must allocate funding and resources to develop, implement and maintain an Information Security Management System (ISMS) that:

  • aligns with the requirements in the NSW Cyber Security policy and the Australian Cyber Security Centre’s Essential Eight
  • maintains compliance and certification with the following international standards:
  • enables industry best practice for identifying assets, assessing risk and applying appropriate controls within the department’s scope.

The CIO also needs to:

  • determine the scope of CIO and Chief Operating Officer responsibilities for cyber security relating to assets such as information, building management systems and industrial automation and control systems
  • ensure a secure-by-design approach for new initiatives and upgrades to department systems.

The Cyber Security team must implement the ISMS and develop an ISMS framework in collaboration with the Director, Cyber Security. The director must also:

  • develop and maintain cyber security procedures and guidelines
  • manage the life cycle of cyber security platforms including design, deployment, ongoing operation, and decommissioning
  • ensure appropriate management of the availability, capacity and performance of cyber security hardware and applications
  • provide input and support to regulatory compliance and assurance activities and manage any resultant remedial activity
  • act as a focal point within the department for all matters related to information management required to support cyber security
  • escalate and report cyber incidents that involve information damage or loss to the Legal Services directorate
  • measure the performance of the ISMS and report to the Chief Information Officer (CIO)
  • allocate resources for the function of the ISMS and manage the budget and funding for the cyber security program
  • endorse or approve policies, procedures, practices and tools to ensure compliance with the NSW Cyber Security Policy
  • assess and provide recommendations on any exemptions to department cyber security policies and standards
  • ensure the ISMS achieves its intended outcomes
  • report on the performance of the ISMS to the department’s executive.

All staff must comply with the department’s Cyber security standards (refer to Policies, strategies and standards for all the information staff need to comply) to manage the security of assets such as staff and student health, personal and other sensitive information.

The current list of standards is:

  • API Security Standard
  • Cryptography Standard
  • Data Centre Physical Security Standard
  • Data Masking and De-Identification Standard
  • Identity and Access Management Standard
  • Logging and Monitoring Standard
  • Network Security Standard
  • Operating System Security Standard
  • Patch Management Standard
  • Password Standard
  • Privileged Access Management Standard
  • Remote Access Standard
  • Secure Coding Standard
  • Vulnerability Management Standard.

3.2 Manage cyber risk

The department determines its risk appetite and develops a cyber security strategy to respond to this, as outlined below.

The department operates a threat driven, risk informed approach to managing cyber security risks. At an enterprise governance level:

To effectively manage cyber risk, all staff must:

  • report identified cyber security risks to the appropriate risk and control owners within schools and business units (this may be to a manager, principal, or other delegated staff member – refer to Reporting a security incident for more information)
  • cooperate with relevant Cyber Security and Chief Risk Office staff to manage identified risks
  • be aware of and have access to the department’s Enterprise risk management policy and framework (refer to Policy and framework) to support risk-informed decision-making.

All principals and managers who own and control risk, including business owners and service owners, must (in line with the Enterprise risk management policy and framework [refer to Policy and framework]):

  • identify cyber threats and rate the likelihood and consequences should those threats be realised
  • communicate information security matters to technology support staff and information users
  • collaborate with ITD staff to manage security requirements for their systems.

The Director, Cyber Security must coordinate cyber security risk assessments across ISMS assets and third-party vendors that send or receive ISMS asset data, and ensure identified risks are managed to an acceptable level.

As part of this, service owners, with the assistance of asset support staff, must develop and implement technical information security safeguards to manage identified risks.

The Chief Risk Office must:

  • ensure cyber risk frameworks align with the Enterprise Risk Framework and are applied when assessing cyber security risks and setting the department’s risk appetite

The Manager, IT Audit, Assurance and Risk must:

  • coordinate internal audit programs for cyber security
  • coordinate updates to the Enterprise Risk Register.

3.3 Ensure ICT service providers comply with cyber security requirements

All staff responsible for managing information and communications technology (ICT) contracts must incorporate information security requirements into new and continuing procurement of ICT and digital goods and services contracts. This includes ensuring that contract requirements are complied with.

Refer to ICT contract requirements for details and for a list of goods and services to which these requirements may apply.

The Director, Cyber Security must work with contract managers and Procurement to ensure that third-party ICT service providers:

  • understand and comply with the department’s cyber security requirements
  • operate within the department’s ICT contract requirements and participate in security and performance reviews as required.

Staff responsible for initiating ICT projects or managing student data in online applications must read the applicable requirements below.

3.4 Ensure ICT projects or AI initiatives comply with requirements

All staff initiating ICT projects or activities where department data is being transmitted or received, must consult the Cyber Security team throughout the project’s lifecycle.

The Cyber Security team must:

  • ensure new projects comply with relevant cyber security standards
  • review design and architecture documentation
  • ensure appropriate security testing activities have been completed before go-live.

Refer to Technology cyber security assessment for more information.

All staff initiating or managing projects, initiatives or activities with an AI component, must be reviewed by the AI Review Service and gain AI Executive Leadership Group approval before proceeding. This aligns with mandatory reporting according to the NSW AI Assurance Framework and the National Framework for AI in Schools.

The AI Review Service and AI Executive Leadership Group can be contacted at AI.ELG@det.nsw.edu.au.

3.5 Manage student data in online applications

Student data refers to any data the department possesses or controls that relates to or concerns current, past or future students from any education setting.

All staff managing student data must obtain parental or carer consent, where appropriate, for using online applications (Table 1), as outlined below.

Table 1 Consent needed by online application

Core applications Approved applications Other applications

Core applications are provided to schools by the department free of charge.

Core applications include Microsoft Office 365, Google Workspace, Adobe Creative Cloud and Zoom.

These applications have been assessed by the department and do not require parental or carer consent for their use in schools.

Approved applications are those listed on the Online Learning Tools Marketplace and Administration Marketplace Panel for Schools.

These applications have been assessed by the department and do not require parental or carer consent for their use in schools.

Applications not listed as a core or approved application require a cyber security assessment before being used, to ensure they are safe for staff and student use.

It Is strongly recommended that all staff consider using core or approved applications where they may satisfy the same purpose as a non-approved application.

Staff can request cyber security assessments be conducted by the Cyber Security team or can perform their own.

All applications falling within this category require informed parental or carer consent be obtained for their use.

The Cyber Security team have developed the AssessedIT tool to enable schools to review the results of assessments conducted by the Cyber Security team and generate consent forms with the required information.

For information on how to request or perform a cyber security assessment, refer to Online software applications and parental consent.


While consent does not need to be obtained for the use of core and approved applications, it is best practice to inform parents of their use.

4. Build resilience and report cyber security incidents

The department works to improve its resilience, including its ability to rapidly detect cyber incidents and respond appropriately, through its Cyber Incident Response Plan.

A cyber security incident is any event that threatens or has compromised, the security of the department’s digital devices, services.

All staff must contribute to this plan by reporting any known or suspected cyber security incidents or data breaches.

4.1 The department maintains a cyber incident response plan

Effective cyber security relies on early notification of recognised vulnerabilities and threats. The Director, Cyber Security must report cyber incidents to the department’s executive and Cyber Security NSW as outlined below.

The Director, Cyber Security must report cyber incidents to the department’s executive and Cyber Security NSW in alignment with:

The Cyber Security team must develop, maintain, review and complete performance analysis of the Cyber Incident Response Plan as part of continual improvement.

The department's Cyber Incident Response Plan:

  • complies with the NSW Cyber Security policy
  • describes the processes, responsibilities, and tools used by incident response staff, executive staff and other relevant risk management branches for responding to cyber incidents beyond business as usual events in the department
  • integrates with the department’s Major Incident Management Process and the NSW Government Cyber Incident Response Plan
  • is exercised annually in line with NSW Cyber Security policy requirements by simulating cyber incident scenarios to test its effectiveness as well as the coordination of operational and executive response.

The Director, Cyber Security must manage and coordinate the response to cyber security incidents, changing threats, and vulnerabilities.

4.2 Report cyber incidents and events

All staff must report any known or suspected cyber incidents and events promptly to both:

  • their principal or manager
  • the Cyber Security team via EDConnect on 1300 32 32 32.

A cyber security incident is defined as any event that threatens or has compromised, the security of the department’s digital devices or services. Refer to Reporting a security incident for more information about what you may need to report and how.

All staff must also:

  • cooperate with the Cyber Security team to investigate, analyse and respond to cyber incidents
  • consider whether a data breach has occurred when reporting an incident or event. Any data breach has additional reporting requirements in line with the Data breach response plan.

Asset support staff must monitor and respond to cyber security incidents and events.

Data breaches

A data breach occurs where personal, health, commercially sensitive or confidential information held by the department is accessed or disclosed without authorisation or is lost.

Control failures, external events, or the accidental or malicious actions of individuals may result in breaches of the confidentiality, integrity or availability of the department’s information.

Cyber incidents or events differ from data breaches in that they include all types of unauthorised IT activities which may, or may not, result in a data breach.

Supporting tools, resources and related information

The Director, Cyber Security monitors the implementation of this procedure, regularly reviews its contents to ensure relevance and accuracy, and updates it as needed.

Return to top of page Back to top