Transcription
South Australian GovernmentCYBER SECURITY STRATEGIC PLAN 2018-2021
South Australian Government Cyber Security Strategic Plan 2018-21CONTENTSSTRATEGIC DIRECTION 3SOUTH AUSTRALIAN CONTEXT 4ACTION PLAN 5TIMELINE 6STRATEGIC THEMES 71: Influence Leadership 72: Build Resilience 113: Share Responsibility 12RELATED DOCUMENTS 15Public – I1 – A1
South Australian Government Cyber Security Strategic Plan 2018-21STRATEGIC DIRECTIONGiven the South Australian Government’s critical role in service delivery, it is imperative that state infrastructure, digital assets andcitizen information are adequately safeguarded against the ever-increasing incidence of cybercrime and espionage.The Department of the Premier and Cabinet (DPC) is tasked with this responsibility, leading the delivery of this Cyber Securitystrategic Plan 2018-21 on behalf of the South Australian Government.In consultation with other agencies and experts within the cyber security sector, DPC has developed this plan detailing the activitiesthat will provide the South Australian Government with a stronger cyber security position. This will help deliver more responsibledata sharing for social change, better protect the safety and prosperity of South Australians, and enhance the government’s digitalengagement with the business community.A series of strategic objectives have been set to help achieve these desired outcomes: The government’s infrastructure, services and systems are resilient to cyber threats. The government’s digital and innovation agenda is empowered through a strong risk culture. Citizen’s trust and confidence in the government’s digital services is maintained through measured improvements in cybersecurity maturity. The cost and disruption to recover from cyber security incidents is minimised. Cyber security is managed in a way that meets industry and community expectations. Industry is motivated to invest, stimulating the state’s economy and helping establish South Australia as a recognised cybersecurity leader in the Asia-Pacific region.The plan’s activities are structured within three strategic themes.1. Influence LeadershipStrengthen the role of government in providing sound governance and clear accountabilities for a whole ofgovernment approach to cyber security.2. Build ResilienceStrengthen the approach to the prevention of, detection of, response to and recovery from cyber security threatsand incidents.3. Share ResponsibilityCultivate a collaborative approach that brings together all levels of government with academia and the private sectorto cyber security.In line with SA Connected, the South Australian Government’s ICT strategy, our approach is to gain the benefits of innovationby embracing opportunities, informing our choices, and managing risks in an agile way.Endorsed byDr Don RussellChair, Senior Management CouncilChief Executive, Department of the Premier and CabinetGovernment of South AustraliaPublic – I1 – A1Mr Rick PersseChair, ICT and Digital Governance BoardChief Executive, Department forEducation and Child DevelopmentGovernment of South AustraliaMr David GoodmanChief Information Security OfficerGovernment of South Australia3
South Australian Government Cyber Security Strategic Plan 2018-21SOUTH AUSTRALIAN CONTEXTDriven by the Premier’s Digital by Default Declaration that commits the government to a transformative agenda,the South Australian (SA) Government’s approach to ICT ownership, management and delivery is undergoingsignificant change.As more government services transition to digital platforms, the risk of cyber security incidents grows with the abilityto impact service delivery, cause economic loss and harm the public’s confidence in government services.Data from SA’s Cyber Security Incident Reporting Scheme supports this trend.Annual Cyber Security Reports in SA Government10987714533192014201520162017Total reports to Across Government Cyber Security SchemeFrom a service delivery perspective, there has been an increased reliance on cloud services and managed serviceproviders to deliver services to government agencies and the broader community.With most agencies connected to a single network, an incident in one agency has the potential to rapidly affect allagencies, putting citizen services at risk. Fortifying internal policies and practices will help address this vulnerability.Consistency across agencies is another challenge, evidenced by differing online environments, diverse risk profilesand varied information security expertise. Acknowledging that our capability and capacity need to increase, we needto continue to collaborate with the private sector and other stakeholders to stay abreast of security trends and furtherdevelop the skill sets of ICT professionals across government.The SA Government supports the themes and ambitions within the Australian Government’s Cyber Security Strategylaunched in 2016. Collaboration at a national level and with industry partners is a key component of our approach tocultivate a collaborative approach to cyber security.Public – I1 – A14
South Australian Government Cyber Security Strategic Plan 2018-21ACTION PLANInfluence Leadership (IL)Build Resilience (BR)Strengthen the role of governmentin providing sound governance andclear accountabilities for a wholeof government approach tocyber security.Strengthen the approach to the prevention Cultivate a collaborative approach thatof, detection of, response to and recoverybrings together all levels of governmentfrom cyber security threats and incidents.with academia and the private sector tocyber security.IL1 - Plan and developpolicy frameworks 1.1 Develop a South AustralianGovernment Cyber SecurityStrategic Plan. 1.2 Review the appropriateness andcurrency of existing cyber securitypolicies for SA Government. 1.3 Implement a continuousimprovement program and reportregularly to the Senior ManagementCouncil on cyber security progress.BR1 - Prevent and prepare 1.1 Continue to develop theSA Government’s cyberresilience position. 1.2 Deliver the ongoing SA GovernmentTop Ten Cyber Resilience and PreparednessObjectives work program. 1.3 Develop a whole of governmentapproach for the management ofcontractual cyber security risks. 1.4 Develop an external/internalvulnerability scanning and assessmentcapability.IL2 - Lead people and change to improve 1.5 Consciously consider emerging cyberthe culture of cyber securitythreats in the development of intelligence 2.1 Deliver employee training and buildproducts.awareness about information security. 1.6 Improve security and policy control 2.2 Integrate cyber risks within enterprisemeasures for areas of high risk, includingrisk management processes.critical infrastructure. 2.3 Encourage trust and confidence in 1.7 Develop a cyber security‘Marketplace’online and digital service delivery.or‘Kiosk’. 2.4 Support government agencies to 1.8 Undertake regular cyber crisis planning,ensure employees in positions of trustpreparedness and response exercises withare appropriately trained and vetted.government and industry partners.IL3 - Assign government responsibilityBR2 - Respond and recover 3.1 Establish an across government2.1 Enhance cyber security incident andCyber Security Governance Committee. crisis management arrangements to 3.2 Re-establish the across governmentimprove alignment with Commonwealth,IT Security Adviser Forum.State Crisis and Emergency Management 3.3 Develop a cyber security professionarrangements.career path for SA Government. 2.2 Review cyber insurance arrangements 3.4 Take an active role in leading andfor government.influencing national cyber security 2.3 Create systems and processes forinitiatives.resource pooling for significant cyberIL4 - Measure cyber security performancesecurity incident responses. 4.1 Create a Balance Scorecard forBR3 - Growsecurity outcomes. 3.1 Document and share lessons learned 4.2 Support a risk-based prioritisationfrom significant cyber security incidents toof government expenditure onpromote cross-sector collaboration.cyber security. 3.2 Establish uniformity of cyber securityresourcing across the public sector toensure adequate resourcing.Public – I1 – A1Share Responsibility (SR)SR1 - Share knowledgeand threat intelligence 1.1 Deploy a Threat Intelligence Platformfor use by all government agencies. 1.2 Continue to develop the Watch Deskfacility as a respected and leading incidentdetection, response and advisory groupfor across government.SR2 - Develop partnerships 2.1 Support the establishmentof the SA node of AustCyber. 2.2 Support the establishment of the JointCyber Security Centre in Adelaide. 2.3 Establish strong and improvedengagement programs and partnershipswith industry. 2.4 Establish partnerships with academiato ensure suitable education and trainingis available within SA for cyber securityskills growth.SR3 - Build capability 3.1 Ensure an agile future resourcecapability by providing appropriate skillstraining. 3.2 Establish a leading Cyber SecurityOperations Centre. 3.3 Research and provide commonservices and tools for cyber security foruse by government and non-governmentstakeholders. 3.4 Facilitate growth and innovation incyber security with other industries.SR4 - Assess societal impacts 4.1 Extend cyber security awarenessto citizens via media and communityengagement to create a valued cybersecurity conscious state. 4.2 Support programs to raise awarenessabout the impact of emerging risks,vulnerabilities and developing resilience. 4.3 Include cyber security threats in thegovernment’s emergency managementpublic awareness campaigns.5
South Australian Government Cyber Security Strategic Plan 2018-21TIMELINEThe first 12 to 18 months of the strategy will see a significant amount of work undertaken acrossthree strategic themes. This initial period will form the foundation for the future deliverables andinform the first strategic plan review in early 1 IL2.4 SR4.2Jun Aug SR2.1Mar May JulyIL3.3 BR2.3 BR3.2SR3.120202021JuneSR3.2Jan 2018 to Jan 2021 - IL2.3, IL3.4, BR1.5, SR2.3, SR3.3, SR3.4Strategic Themes1: Influence Leadership2: Build Resilience3: Share ResponsibilityPublic – I1 – A16
South Australian Government Cyber Security Strategic Plan 2018-21STRATEGIC THEMES1: Influence LeadershipStrengthen the role of the government in providing sound governance and clear accountabilitiesfor a whole of government approach to cyber security.IL1 – Plan and develop policy frameworksStrategic ObjectiveActivitySuccess CriteriaAlign the South AustralianGovernment Cyber SecurityStrategic Plan to Australia’sCyber Security Strategy.IL1.1 Develop a South AustralianGovernment Cyber SecurityStrategic Plan.An approved and published SouthAustralian Government Cyber SecurityStrategic Plan on SA.GOV.AUby January 2018.IL1.2 Review the appropriatenessand currency of existing cybersecurity policies for the SouthAustralian Government.Information Security ManagementFramework (ISMF) 3.3 to be replaced bya simplified ISMF 4.0, and all associatedstandards and guidelines reviewed andupdated by 30 June 2018.Deliver Cloud Security standards andguidelines by 30 June 2018.Deliver an updated PC030 – ProtectiveSecurity Management Framework byJune 2018.Deliver an updated StateNet Conditionsof Connection 4.0 by June 2018.IL1.3 Implement a continuousimprovement program and reportregularly to the Senior ManagementCouncil on cyber security progress.Public – I1 – A1Six monthly updates provided to SeniorManagement Council.Strategic Plan reassessed and modifiedin January 2019.7
South Australian Government Cyber Security Strategic Plan 2018-21IL2 – Lead people and change to improve the culture of cyber securityStrategic ObjectiveActivitySuccess CriteriaProvide strategicleadership to develop thecapability to adapt in theface of new and emergingcyber security risks andthreats.IL2.1 Deliver employee training andbuild awareness about informationsecurity.An across government cyber and informationsecurity employee training and awarenesspackage designed by April 2018.A high proportion of employees complete thetraining.An increased number of agencies adopt amandatory induction and ongoing awarenessprogram.IL2.2 Integrate cyber risks withinenterprise risk managementprocesses.Cyber and information security risks areincluded on operational and corporate riskregisters and treated as enterprise level risksby February 2018.Advice is provided to agency audit and riskcommittees on cyber security risk strategiesand frameworks.IL2.3 Encourage trust andconfidence in online and digitalservice delivery.A reporting template and guidance forsecurity considerations delivered by June2018.A reduced number and impact of securityincidents related to online and digital deliveryof services by 2019.Full mandatory integration of securityconsiderations in design and implementationof online servicesby 2020.IL2.4 Support government agenciesto ensure employees in positionsof trust are appropriately trainedand vetted.Policy for all SA Government staff employedin positions of trust or working in areasdelivering critical services to the state byAugust 2018.Mandatory personal vetting and securityscreening implemented at a level appropriateto role prior to employment by August 2018.Mandatory security training for staff employedin positions of trust byAugust 2018.Public – I1 – A18
South Australian Government Cyber Security Strategic Plan 2018-21IL3 – Assign government responsibilityStrategic ObjectiveActivitySuccess CriteriaProvide oversightthat clearly definesaccountabilities andresponsibilities for cybersecurity.IL3.1 Establish an across government An across government Cyber SecurityCyber Security GovernanceAdvisory Sub Committee of the ICT and DigitalCommittee.Governance Board established.Sub Committee established with industryrepresentation by January 2018.IL3.2 Re-establish the acrossgovernment IT SecurityAdviser Forum.Regular ITSA Forums delivered, withimprovements to the structure and deliverybased on industry and participant feedback, byJanuary 2018.IL3.3 Develop a cyber securityprofession career path for SAGovernment.Defined role guidance for across governmentsecurity personnel designed by March 2018.An across government mentoring andsecondment program established by June 2018.Partnerships with industry and academiaestablished to deliver relevant and suitabletraining for cyber and information security byApril 2018.IL3.4 Take an active role in leadingand influencing national cybersecurity initiatives.Increased participation by the South AustralianGovernment in membership of relevant boards,committees and bodies in SA, nationally, andinternationally.Support the Joint Cyber Security Centre programand launch of the centre.IL4 – Measure cyber security performanceStrategic ObjectiveActivitySuccess CriteriaInvestment for CyberSecurity is strategicand risk based wherebyexposures are prioritisedto ensure cyber securitymaturity is strengthened.IL4.1 Create a Balance Scorecard forsecurity outcomes.Independent across government cyber securityassessment undertaken by February 2018.Baselines for cyber security metrics set byFebruary 2018.Desired state for Cyber Security maturity definedfor government agencies by June 2018.IL4.2 Support a risk-basedprioritisation of governmentexpenditure on cyber security.Current levels and patterns of expenditure incyber security across SA Government assessed byFebruary 2018.Use of economies of scale through acrossgovernment procurement of cyber servicesincreased by 2021.Public – I1 – A19
South Australian Government Cyber Security Strategic Plan 2018-212: Build ResilienceStrengthen the approach to the prevention of, detection of, response to and recovery from cybersecurity threats and incidents.BR1 – Prevent and prepareStrategic ObjectiveActivitySuccess CriteriaIncrease preparedness for newand emerging cyber securitythreats to provide cyberresilience.BR1.1 Continue to develop theSA Government’s cyber resilienceposition.Independent Cyber ResilienceReview undertaken by February 2018(refer to IL4.1).Participation in Australian GovernmentCyber Resilience activities to ensurealignment with state and nationalactivities.BR1.2 Deliver the ongoing SAGovernment Top Ten CyberResilience and PreparednessObjectives work program.Top 10 Cyber Resilience andPreparedness Objectives second reportsubmitted to Cabinet by June 2018.BR1.3 Develop a whole ofgovernment approach for themanagement of contractual cybersecurity risks.Whole of government approachdeveloped, including standard contractclauses, by June 2018.BR1.4 Develop an external/internal vulnerability scanning andassessment capability.Full program implementation andbusiness process established by January2020.BR1.5 Consciously consideremerging cyber threats in thedevelopment of intelligenceproducts.Watch Desk continues to develop itsholistic threat intelligence capability.Continuous improvement cycle formonitoring and analysing data becomescommon practice and is fed into policyand process decision making.Watch Desk provides timely andaccurate cyber threat and intelligenceinformation with regular feedbacksought from stakeholders.Delivery of the threat intelligencesharing platforms (refer to SR1.1)BR1.6 Improve security and policycontrol measures for areas of highrisk, including critical infrastructure.Current security and policy controlmeasures for high risk systemsre-examined, with implementation ofimprovement measures commencingby January 2018.State Government Critical ICTInfrastructure program redevelopedby March 2018.Public – I1 – A110
South Australian Government Cyber Security Strategic Plan 2018-21BR1.7 Develop a cyber security‘Marketplace’ or ‘Kiosk’.Economies of scale achieved throughacross government procurement ofessential cyber security tools/servicesby July 2018.BR1.8 Undertake regular cyberAn annual training program deliveredcrisis planning, preparedness andeach year.response exercises with governmentCyber Terrorism exercise (fundedand industry partners.by Australia-New Zealand CounterTerrorism Committee) undertakenby March 2018.BR2 – Respond and recoverStrategic ObjectiveActivitySuccess CriteriaProactively ensure the state’scyber security arrangementsdeliver better outcomes forthe state.BR2.1 Enhance cyber securityincident and crisis managementarrangements to improve alignmentwith Commonwealth, State Crisisand Emergency Managementarrangements.DPC in conjunction with CERT Australiaundertake cyber security exercisesfor SEMC, DPC Control Agency forICT Failure, and agency ITSAs byJanuary 2018.BR2.2 Review cyber insurancearrangements for government.Cyber Insurance arrangements reviewedby June 2018.BR2.3 Create systems and processesfor resource pooling for significantcyber security incident responses.Implementation of cyber securityresources for the management ofsignificant cyber security incidentresponses by May 2018, taking intoaccount all skillsets required (i.e. morethan just cyber security experts).SA Government response arrangementsaligned with the Australian Governmentcyber crisis management arrangementsby June 2018.SA Communications Sector Forum’scapability and capacity developedthrough awareness raising exercises.Public – I1 – A111
South Australian Government Cyber Security Strategic Plan 2018-21BR3 – GrowStrategic ObjectiveActivitySuccess CriteriaUndertake continuousimprovement to furtherunderstand the impact of cybersecurity incidents and provideuniformity of cyber securityresourcing across agencies.BR3.1 Document and share lessonslearned from significant cybersecurity incidents to promotecross-sector collaboration.Formal collaboration tools used bysecurity community for inter-agencysharing of lessons are reviewed andagencies increase their utilisation byDecember 2018.Lessons learnt are shared as requiredand on a quarterly basis thereafter –with a process in place by January 2018.BR3.2 Establish uniformity of cybersecurity resourcing across thepublic sector to ensure adequateresourcing.Cyber Security Workforce Frameworkdeveloped by December 2018.3: Share ResponsibilityCultivate a collaborative approach that brings together all levels of government with academia andthe private sector to cyber security.SR1 – Share knowledge and threat intelligenceStrategic ObjectiveActivitySuccess CriteriaEstablish trusted partnershipsfor threat intelligence andknowledge sharing across thecyber security community.SR1.1 Deploy a Threat IntelligencePlatform for use by all governmentagencies.Cyber Threat Intelligence SharingToolkit deployed for agency useby January 2018.Toolkit deployed for private sectorpartners by June 2018.SR1.2 Continue to develop theWatch Desk facility as a respectedand leading incident detection,response and advisory group foracross government.Public – I1 – A1Watch Desk facility reviewed andimprovement plan implemented byJanuary 2018.12
South Australian Government Cyber Security Strategic Plan 2018-21SR2 – Develop partnershipsStrategic ObjectiveActivitySuccess CriteriaStrengthen and enhance cybersecurity resilience and buildthe capacity of SA Governmentthrough improved engagementprograms, collaboration ofresources, intelligence andpartnerships.SR2.1 Support the establishment ofthe SA Node of AustCyber.SA Node established by January 2018.SR2.2 Support the establishmentof the Joint Cyber Security Centrein Adelaide by the AustralianGovernment.Joint Cyber Security Centre establishedand operating in SA by March 2018 withsupport from SA Government personnel.SR2.3 Establish strong and improved Partnerships and engagement programsengagement programs andestablished and continuously improvedpartnerships with industry.to achieve optimal outcomes forstakeholders.Ongoing support for the work ofthe Australian Government CriticalInfrastructure Centre.Ongoing support for the TrustedInformation Sharing Network model,including participation in appropriategovernance groups and involvement inexercises and training.SR2.4 Establish partnerships withacademia to ensure suitableeducation and training is availablewithin SA for cyber securityskills growth.Partnerships and engagement programsestablished and continuously improvedto achieve optimal outcomes forstakeholders.ActivitySuccess CriteriaExamine support for the Cyber SecurityCooperative Research Centre, withpotential opportunities identifiedby June 2018.SR3 – Build capabilityStrategic ObjectiveDevelop the capability to adapt SR3.1 Ensure an agile future resourcecapability by providing appropriateand be responsive in the faceskills training.of new and emerging cybersecurity threats.Public – I1 – A1Identify common security roles withappropriate salary streams as guidancefor agencies to ensure a uniformapproach to security resourcing acrossthe public sector and to assist withthe attraction and retention of skilledstaff within the state’s Cyber Securityworkforce by 31 December 2018.13
South Australian Government Cyber Security Strategic Plan 2018-21SR3.2 Establish a leading CyberSecurity Operations Centre.Review the options available for a StateCyber Security Operations Centre andreport to the ICT and Digital GovernanceBoard by March 2018.State Cyber Security Operations Centreestablished by June 2019(linked to SR1.3).SR3.3 Research and provideAppropriate across government Cybercommon services and tools for cyber Security services and tools developedsecurity for use by government and and endorsed by stakeholders.non-government stakeholders.SR3.4 Facilitate growth andinnovation in cyber security withother industries.Areas (e.g. automation, artificialintelligence, cognitive computing,robotics) in which the state can facilitategrowth and innovation identified during2018 to 2021.SR4 – Assess societal impactsStrategic ObjectiveActivitySuccess CriteriaEducate South Australiansabout the impact of new andemerging cyber security threats,risks and how to developresilience.SR4.1 Extend cyber securityawareness to citizens via media andcommunity engagement to createa valued cyber security consciousstate.Public media campaign established byJune 2018.SR4.2 Support community programsto raise awareness about the impactof emerging risks, vulnerabilities anddeveloping resilience.Cyber security information regularlygiven to citizens via SA.GOV.AU.Regular drop in sessions for the publicto ask cyber-related questions providedby 2019.Multi-year media and public relationscampaign considered for launch in 2019.The SA Government’s communityresilience strategy to include cyberthreats, and the reliance on ICT.SR4.3 Include cyber security threatsin the government’s emergencymanagement public awarenesscampaigns.Public – I1 – A1Inclusion of cyber security incidents onthe ‘emergencies and safety’ section ofSA.GOV.AU by March 2018.Cyber security threats promoted atthe State Emergency ManagementCommittee via regular briefings andprovision of security threat reports.14
South Australian Government Cyber Security Strategic Plan 2018-21RELATED DOCUMENTSThe South Australian Government Cyber Security Strategic Plan 2018-21 builds upon the following documents.Australia’s Cyber Security StrategySA Connected – SA Government’s ICT strategyDigital by Default DeclarationState Emergency Management Committee Strategic Framework 2017-2022South Australia’s Seven Strategic PrioritiesSouth Australia’s Economic PrioritiesContactOffice for Cyber SecurityDepartment of the Premier and CabinetGovernment of South Australiawww.digital.sa.gov.auwww.dpc.sa.gov.auGPO Box 2343Adelaide SA 5001For further inquiries please contact:ciso@sa.gov.au Government of South Australia. Published 2018With the exception of the Government of South Australia brand, logos and any images, this work is licensed under a Creative Commons Attribution (CC BY) 4.0 Licence. Toattribute this material, cite the Office for Cyber Security, Department of the Premier and Cabinet, Government of South Australia, 2018.
Strengthen the role of the government in providing sound governance and clear accountabilities for a whole of government approach to cyber security. IL1 - Plan and develop policy frameworks Strategic Objective Activity Success Criteria Align the South Australian Government Cyber Security Strategic Plan to Australia's Cyber Security Strategy.
