The state government of South Australia (SA) recently released a Cyber Security Strategic Plan 2018-2021.
The Department of the Premier and Cabinet (DPC) is tasked with the
responsibility of leading the delivery of this plan on behalf of the South
Australian Government. The Plan states that the SA Government supports the
themes and ambitions within the Australian
Government’s Cyber Security Strategy launched in 2016.
The Plan has been developed in consultation with other
agencies and experts within the cyber security sector to provide the South
Australian Government with a stronger cyber security position.
Data from SA’s Cyber Security Incident Reporting Scheme shows
a rise in risk of cyber security incidents:
There has been an increased reliance on cloud services and
managed service providers to deliver services to government agencies and the
broader community. The Plan notes that an incident in one agency has the
potential to rapidly affect all agencies, with most agencies connected to a
single network.
Achieving consistency across agencies is another challenge, due
to differing online environments, diverse risk profiles and varied information
security expertise.
Strategic objectives of the Plan include making the
government’s infrastructure, services and systems resilient to cyber threats
and empowering the government’s digital and innovation agenda through a strong
risk culture. The Plan also aims to minimise the cost and disruption to recover
from cyber security incidents and maintain citizen’s trust and confidence in
the government’s digital services is maintained through measured improvements
in cyber security maturity. The industry is a key aspect of the Plan. One of
the objectives is to motivate industry to invest, stimulating the state’s
economy and helping establish South Australia as a recognised cyber security
leader in the Asia-Pacific region.
The plan’s activities are structured within three strategic
themes: 1) Influence Leadership (Strengthen the role of government in providing
sound governance and clear accountabilities for a whole of government approach
to cyber security); 2) Build Resilience (Strengthen the approach to the
prevention of, detection of, response to and recovery from cyber security
threats and incidents); 3) Share Responsibility: Cultivate a collaborative
approach that brings together all levels of government with academia and the
private sector to cyber security.
Within the leadership area, the appropriateness and currency
of existing cyber security policies for SA Government will be reviewed. A
continuous improvement program will be implemented and there will be regular
reports to the Senior Management Council on cyber security progress. Employee
training and building awareness about information security will also be a key
area of focus.
Cyber risks will be integrated within enterprise risk
management processes. A cross government Cyber Security Governance Committee
will be established and the across government IT Security Adviser Forum will be
re-established.
A cyber security profession career path will be developed for
the SA Government. A Balance Scorecard for security outcomes will be created
and a risk-based prioritisation of government expenditure on cyber security
will be supported.
For building resilience, the ongoing SA Government Top
Ten Cyber Resilience and Preparedness Objectives work program and a whole
of government approach will be developed for the management of contractual
cyber security risks. In addition, a cyber security ‘Marketplace’ or ‘Kiosk
will be put in place.
The SA Government also plans to undertake regular cyber
crisis planning, preparedness and response exercises with government and
industry partners. Cyber insurance arrangements for government will be reviewed.
Lessons learned from significant cyber security incidents will be documented
and shared to promote cross-sector collaboration.
The third strategic theme of sharing responsibility involves
the deployment of a Threat Intelligence Platform for use by all government
agencies. The government will continue to develop the Watch Desk facility for detection,
response and advisory group for across government.
The SA Government will also support the establishment of the
SA node of AustCyber (Australian Cyber Security
Growth Network). The Government will establish partnerships with academia to
ensure suitable education and training is available within SA for cyber
security skills growth.
Cyber security awareness will be extended to citizens via
media and community engagement and programs supported to raise awareness about
the impact of emerging risks, vulnerabilities and developing resilience. Cyber
security threats will be included in the government’s emergency management
public awareness campaigns.
According to the Plan, the first 12 to 18 months of the
strategy will witness a significant amount of work undertaken across three strategic
themes. This initial period will form the foundation for the future
deliverables and inform the first strategic plan review in early 2019.