State Government of South Australia released Cyber Security Strategic Plan 2018-2021
The state government of South Australia (SA) recently released a Cyber Security Strategic Plan 2018-2021. The Department of the Premier and Cabinet (DPC) is tasked with the responsibility of leading the delivery of this plan on behalf of the South Australian Government. The Plan states that the SA Government supports the themes and ambitions within the Australian Government’s Cyber Security Strategy launched in 2016.
The Plan has been developed in consultation with other agencies and experts within the cyber security sector to provide the South Australian Government with a stronger cyber security position.
Data from SA’s Cyber Security Incident Reporting Scheme shows a rise in risk of cyber security incidents:
There has been an increased reliance on cloud services and managed service providers to deliver services to government agencies and the broader community. The Plan notes that an incident in one agency has the potential to rapidly affect all agencies, with most agencies connected to a single network.
Achieving consistency across agencies is another challenge, due to differing online environments, diverse risk profiles and varied information security expertise.
Strategic objectives of the Plan include making the government’s infrastructure, services and systems resilient to cyber threats and empowering the government’s digital and innovation agenda through a strong risk culture. The Plan also aims to minimise the cost and disruption to recover from cyber security incidents and maintain citizen’s trust and confidence in the government’s digital services is maintained through measured improvements in cyber security maturity. The industry is a key aspect of the Plan. One of the objectives is to motivate industry to invest, stimulating the state’s economy and helping establish South Australia as a recognised cyber security leader in the Asia-Pacific region.
The plan’s activities are structured within three strategic themes: 1) Influence Leadership (Strengthen the role of government in providing sound governance and clear accountabilities for a whole of government approach to cyber security); 2) Build Resilience (Strengthen the approach to the prevention of, detection of, response to and recovery from cyber security threats and incidents); 3) Share Responsibility: Cultivate a collaborative approach that brings together all levels of government with academia and the private sector to cyber security.
Within the leadership area, the appropriateness and currency of existing cyber security policies for SA Government will be reviewed. A continuous improvement program will be implemented and there will be regular reports to the Senior Management Council on cyber security progress. Employee training and building awareness about information security will also be a key area of focus.
Cyber risks will be integrated within enterprise risk management processes. A cross government Cyber Security Governance Committee will be established and the across government IT Security Adviser Forum will be re-established.
A cyber security profession career path will be developed for the SA Government. A Balance Scorecard for security outcomes will be created and a risk-based prioritisation of government expenditure on cyber security will be supported.
For building resilience, the ongoing SA Government Top Ten Cyber Resilience and Preparedness Objectives work program and a whole of government approach will be developed for the management of contractual cyber security risks. In addition, a cyber security ‘Marketplace’ or ‘Kiosk will be put in place.
The SA Government also plans to undertake regular cyber crisis planning, preparedness and response exercises with government and industry partners. Cyber insurance arrangements for government will be reviewed. Lessons learned from significant cyber security incidents will be documented and shared to promote cross-sector collaboration.
The third strategic theme of sharing responsibility involves the deployment of a Threat Intelligence Platform for use by all government agencies. The government will continue to develop the Watch Desk facility for detection, response and advisory group for across government.
The SA Government will also support the establishment of the SA node of AustCyber (Australian Cyber Security Growth Network). The Government will establish partnerships with academia to ensure suitable education and training is available within SA for cyber security skills growth.
Cyber security awareness will be extended to citizens via media and community engagement and programs supported to raise awareness about the impact of emerging risks, vulnerabilities and developing resilience. Cyber security threats will be included in the government’s emergency management public awareness campaigns.
According to the Plan, the first 12 to 18 months of the strategy will witness a significant amount of work undertaken across three strategic themes. This initial period will form the foundation for the future deliverables and inform the first strategic plan review in early 2019.