Victorian Government launches its first Cyber Security Strategy
The Victorian Government says it is ‘getting on’ with the state’s first Cyber Security Strategy to help protect government services and information from cyber threats.
Last Friday Special Minister of State Gavin Jennings and a group of IT experts launched the Strategy - the first of its kind in Australia.
According to a statement from the Victorian Government, the new Strategy negates an agency by agency approach and focuses on a whole of government approach to cybersecurity. This sustains strong security defences that can protect all of Victoria’s public services delivery.
“Establishing and maintaining Victoria’s cyber resilience will be a long-term challenge requiring an ongoing commitment. The Government is prepared to meet that challenge,” comments Jennings.
The 23-point strategy covers five main priorities: Engagement, planning, partnering, service maturity and capability.
Engagement priorities: To appoint a chief information security officer for Victoria. “This executive role will oversee government’s response to the cyber threat, develop best practice, provide assurance, report internally on our cyber security status, and coordinate cross-government action.”
It includes frequent, high-quality and standardised reporting for senior executives, including threat assessments, cyber resilience maturity, investment statuses, breach summaries and gap analyses.
1. Whole-of-government oversight and focus on cyber security resilience. 2. Better and informed investment decisions at both a whole-of-government and agency level through a clear understanding of the Government’s cyber security positioning. 3. Cyber security becoming embedded into the normal operations of government through regular actionable communication and awareness programs. 4. Clearer accountability and focus for agency heads in managing cyber security risk within their agencies.
Planning priorities: “A planning cycle creates a rhythm for strategic action – away from the tactical responses needed for day-to-day incident and threat management. It helps identify the appropriate use of shared and common services, and builds capability to support sound investment and sustainable response mechanisms.”
1. Disciplined approach to understanding and responding to the cyber security threat. 2. Better informed investment decisions at a whole-of-government and agency level through a considered understanding of threats, priorities and response mechanisms. 3. Improved information sharing and leveraging of internal capability through stronger engagement within the Government’s cyber security community. 4. Improved focus on planning and readiness for cyber attacks on ICS/SCADA systems
Partnering priorities: “The Government recognises that it needs to combine forces both within government and with the private sector. We know that strong partnerships benefit all participants. A combined strategic approach, intelligence sharing, capability sharing, and the capacity to test proposed approaches with leading cyber industry practitioners, all add value.”
1. Greater insight and increased timeliness through shared intelligence. 2. Better practice through engagement with cyber security experts within the Victorian Government, specialist Victorian Government agencies, the Australian Government, industry, and academia. 3. A holistic approach and broader capability arising from targeted and strategic vendor relationships.
Service maturity priorities: “Careful consideration needs to be given to developing and maintaining the right balance between in-house cyber security skills and appropriate use of managed security services. The Government needs to be a smart buyer and consumer of cyber security services and maximise the opportunity to develop and retain its own cyber security skilled workforce.”
1. Incident response and recovery are enhanced, and multi-agency threats are recognised earlier, when an integrated federated Security Operations Centre capability is deployed. 2. Long term service maturity is established through increased in-house capability. 3. Better information technology and business systems investment decisions are made when guidance and initial assessments for consuming cloud services are available. 4. Improved understanding and quantification of the potential impact of a cyber breach. 5. Costs efficiency through a shared approach to establishing and developing cyber capabilities.
Capability priorities: “The Government requires a cyber security specialist workforce plan. It is expected that this will need to be developed with the education sector; partnering with universities and specialist educators like the Oceania Cyber Security Centre.”
1. Productivity improvement due to a reduction in outages and loss of data, which will come from an increase in the general capability of all public service employees around cyber security 2. Increased resilience in cyber security arising from an end-to-end focus on developing in-house specialist cyber security capability.
The Victorian Government has established an action plan for these steps, which has been plotted until March 2019.
The Government will be working closely with Emergency Management Victoria, Victorian Managed Insurance Authority, CenITex, the Australian Government, the Oceania Cyber Security Centre, CSIRO’s Data61, the Global Cyber Security Capacity Centre and the Computer Emergency Response Team (CERT) on various initiatives as part of the strategy.