Essential Eight​

New South Wales

The NSW Cyber Security Policy (CSP) establishes mandatory requirements for all NSW Government agencies to effectively manage cyber security risks to their information and systems. The policy aims to enhance confidentiality, integrity, and availability of government services and data.

Key Components of the NSW CSP:

Mandatory Requirements: Agencies must implement specific measures across several areas, including:

• Cyber Security Planning and Governance: Establishing robust frameworks and assigning clear responsibilities for cyber security management.
• Risk Management: Identifying, assessing, and mitigating cyber security risks to protect sensitive information and critical systems.
• Resilience and Incident Response: Developing capabilities to detect, respond to, and recover from cyber incidents promptly.
• Culture and Awareness: Promoting a strong cyber security culture through training and awareness programs.
• Annual Reporting: By October 31 each year, agencies are required to submit a comprehensive report to Cyber Security NSW. This report must include:
  • An assurance assessment against all mandatory requirements for the previous financial year
  • Details of any high or extreme residual cyber security risks.
  • A formal attestation regarding the agency’s cyber security posture.
• The Essential Eight: Implementation of Essential Eight is mandated for government agencies under the NSW Cyber Security Policy. Agencies are required to achieve a minimum of Maturity Level 1 across all Eight mitigation strategies.

Reference : NSW-Cyber-Security-Policy-2023-2024.pdf

Map common themes and controls from local framework to essential eight

The NSW Cyber Security Policy aligns with the following security frameworks and standards:

• ISO 27001 (Internation Standard for Information Security Management Systems – ISMS)

The ISO/IEC 27001 framework provides a systematic approach to managing sensitive information. It shares common principle with the NSW CSP such as:

• • Risk-based security management
  • Incident response and recovery planning
  • Employee security awareness and training
  • NIST Cybersecurity Framework (Nation Institute of Standards and Technology – USA)

• The NIST CSF is widely used to assess and improve cybersecurity postures. The NSW policy maps closely to it’s 6 core functions:
  • Govern
  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

• PSPF (Protective Security Policy Framework – Australian Government)

The PSPF sets security requirements for government agencies and aligns closely with the NSW Cyber Policy in areas such as:

• • Governance and accountability
  • Information and personnel security
  • Cyber Resilience

• ASD ISM (Australian Signals Directorate Information Security Manual)

The ASD ISM provides security principles for protecting government systems and data. Many controls in the NSW CSP, such as incident reporting and vulnerability management, are derived from the ISM.

Queensland

The Information security policy (IS18) is the primary policy for information security in the Queensland Government. It is supported by various frameworks, standards, and guidelines under the Queensland Government Enterprise Architecture (QGEA).

Purpose of IS18

This policy will improve the protection of services to Queenslanders and maintain a focus on continuous improvement of information security to enhance organisational resilience.

The Queensland Government is responsible for a significant amount of information. To ensure trust and deliver business value, it is critical that this information is protected appropriately.

This policy seeks to ensure the Queensland Government applies a consistent, risk-based approach to the implementation of information and cyber security to maintain confidentiality, integrity, and availability.

Requirements of IS18

The IS18 has 5 key requirements, these are:

Requirement 1: Agencies must implement an ISMS based on ISO 27001

Requirement 2: Agencies must apply a systematic and repeatable approach to security risk management

Requirement 3: Agencies must meet minimum information security requirements, Queensland Government agencies must comply with the:

• Queensland Government Information security classification framework (QGISCF)
• Data encryption standard (DES)
• Queensland Government authentication framework (QGAF)
• Agencies must also implement the Australian Signals Directorate’s (ASD) Essential Eight Strategies. This includes the selection of Maturity Level target(s), with control selection (link to new control guideline (TBD)) and application based on the agency’s risk appetite.

Requirement 4: Accountable officers must obtain security assurance for systems

Requirement 5: Accountable officers must attest to the appropriateness of agency information security annually

Reference: QLD IS:18 Policy

Victoria

Established under Part 4 of the Privacy and Data Protection Act 2014, the Victorian Protective Data Security Framework (VPDSF) provides direction to Victorian public sector agencies or bodies on their data security obligations.

https://ovic.vic.gov.au/information-security/framework-vpdsf/

The Victorian Protective Data Security Framework (VPDSF) and accompanying Victorian Protective Data Security Standards (VPDSS) are applicable and mandatory for all organisations in the Victorian Public Sector (VPS) agencies and bodies (VPS organisations).

The VPDSF consists of:

1. Security Risk Profile Assessment (SRPA) that aims to use risk to guide organisations to select application controls
2. Protective Data Security Plan (PDSP) as a reporting mechanism show maturity level and attest a security roadmap as directed from the SRPA.
3. A standard that has 12 ‘sub-standards’, encompassing controls from the ISM, Essential Eight, NIST CSF and ISO 27001.

As part of Office of the Victorian Information Commissioner (OVIC)’s Reporting Milestones, Applicable organisations must provide OVIC a number of action/artefacts in 2024 (see below).

VPDSF vs Essential Eight

The federal Government mandates the adoption and reporting of the Essential Eight Framework for all non-corporate Commonwealth entities (NCCEs). Beyond the NCCEs, Essential Eight is influenced by Departments whose jurisdiction resides within Victoria. This is particularly prevalent for “Portfolio” Government agencies that use Essential Eight as a benchmark for themselves and their group or function agencies.

The Essential Eight mitigation strategies is leveraged to bolster the granularity of Implementation guidance set by OVIC. This includes:

• Standard 4 – Information Access: Restrict administrative privileges, User application hardening, & Multi-factor authentication
• Standard 11 – Information Communications Technology (ICT) Security: User application hardening, Patch applications, Application control, Configure Microsoft Office macro settings, Patch operating systems & Regular backups

What is Missing?

• VPDSF would benefit tremendously from commitment from OVIC on a strategy to validate agencies’ PDSP submissions against historical attestations.

1. 1. The point above should include the development of a maturity model that enables some more form of benchmarking and guidance on how to measure target state and progression. This should focus on improved guidance on control effectiveness.
   2. VPDSS is both a framework and a standard. Some elements are rigid as a requirement in a standard and some elements provide flexibility. This lack of consistency can make it challenging for organisations assessing maturity.

• Incorporation of Artificial Intelligence into the VDPSS, leveraging the lessons learnt from the AI questionnaire results of PDSP submissions in 2024.

3. Incorporation of Threat Intelligence into the VPDSS, using relevant industry threat intelligence to aid in proactive and fit-for-purpose decision making.

Australian Capital Territory

The ACT Government has a comprehensive Cyber Security Framework designed to protect its information, systems and assets. The framework is derived from the ACT Governments Cyber Security Policy and includes several key components.

• Protective Security Policy Framework (PSPF): Sets out the government’s approach to protecting people, information and assets. It helps entities with the ACT Government understand and assess vulnerabilities, achieve levels of protective security expect by the government, and develop an appropriate security culture.[1]
• The ACT Government has implemented the Essential Eight strategies recommended by the Australian Signals Directorate (ASD) to enhance its cyber security posture. The ACT Government’s Critical Infrastructure Framework mandates that all Territory critical infrastructure assets implement and maintain cyber security measures that, at a minimum, meet the Essential Eight Maturity Model to maturity level 1.[2]
• Governance, Risk and Compliance: Ensures that the ACT Government’s cyber security practices align with relevant laws, regulations and standards. This includes regular audits as delegated by their CISO, risk assessments and compliance checks.
• Incident Response: A structured approach to managing and responding to cyber security incidents. This includes identifying, containing, eradicating and recovering from incidents, as well as learning from them to improve future responses. [3]

[1] www.act.gov.au/open/act-protective-security-framework
[2] https://www.act.gov.au/__data/assets/pdf_file/0005/2567282/Critical-Infrastructure-Framework.pdf
[3] www.act.gov.au/open/act-protective-security-framework

What is the purpose of the Cyber Security Framework:

The purpose of the ACT Government Cyber Security Framework is to ensure the protection of the government’s information, systems and assets. The framework aims to:

• Enhance Security: Implement measures to protect information and systems from cyber threats, vulnerabilities and attacks.

1. Ensure Compliance: Align with relevant laws, regulations and standards to main compliance and protect sensitive information.
2. Build Resilience: Develop robust systems and processes to withstand and recover from cyber incidents, ensuring continuity of government services.
3. Promote awareness: Raise awareness and educate employees about cyber security best practices and the importance of safeguarding information.

• Improve Governance: Establish clear roles, responsibilities and policies for managing cyber security across the government.

Essential Eight requirements for the Territory:

The Essential Eight is mandated for the ACT Government. As the ACT Government Cyber Security Policy outlines their requirement to abide by the PSPF, section 14.2 of the PSPF Release 2024 outlines the Essential Eight Strategies.

The ACT Governments Critical Infrastructure Framework, SOCI 7 – Essential Eight Maturity Model (ML1):

Applicable to:

• Territory critical infrastructure regulated by the SOCI Act.
• Non-regulated Territory critical infrastructure.
• The requirement is to implement and maintain cyber security measures under Essential Eight Maturity Model, or an equivalent cyber security framework, to maturity level one as a minimum.

Other Standards and Frameworks used in the Territory:

In addition to the Essential Eight, the ACT Government follows several other cyber security frameworks and standard to ensure the security of its information, systems and assets. These include:

1. PSPF
2. Cyber Security Act 2024
3. ISO/IEC 27001
4. NIST CSF
5. Australian Government Information Security Manual (ISM)

These standards and frameworks, along with the Essential Eight, help the ACT Government maintain a robust cyber security posture and protect its information and systems from various cyber threats.

Map common themes and controls from local framework to Essential Eight:

The ACT Government are required to undergo risk assessments and follow a cyber security framework for all systems. Where systems are not assessed against the Essential Eight, an appropriate framework is selected to ensure critical infrastructure meets the equivalent maturity level 1. As mentioned in section 5.1.4 other frameworks which are comparative to the Essential Eight are being used.

South Australia

The South Australian Cyber Security Framework (SACSF) provides information security guidance for all aspects of South Australian government agencies and government agency suppliers. The framework is a tiered model for agencies to implement the best guidance and control implementation for their size, complexity, and criticality. The SACSF leverages best guidance from international cyber security frameworks and is supported by a variety of standards, rulings, and guidelines to assist agencies and related parties in aligning to the framework.

The SACSF consists of:

• A Cyber Security Risk Appetite Assessment: Agencies are required to develop a risk appetite statement that defines the agency’s appetite for cyber risks;
• A SACSF Tier Selection: Agencies assess and choose the tier based on the size, complexity and criticality to identify relevant guidance to their agency;
• A Cyber Security Program: Agencies are required to develop a cyber security program (CSP), which defines the agency’s approach to cyber risk management
• A Cyber Security Calendar: Used by agencies to track their cyber security activities and key initiatives that support their CSP;
• Asset Identification and Classification: Agencies are required to identify and classify their critical system, services and processes; and
• Risk Assessments: Agencies are required to identify and assess their cyber risks, develop risk treatment activities and monitor their cyber risks.

The framework defines 21 policy statements that sit under four overarching principles:

• Governance;
• Information;
• Personnel; and
• Physical.

Agencies are required to meet the requirements of all 21 policy statements and provide an annual attestation which details their current alignment to the SACSF.

Purpose of the South Australian Cyber Security Framework

The SACSF allows agencies to:

• Implement a consistent risk-based approach to information security for the whole of South Australian government;
• Embed cyber risk management into existing risk management frameworks;
• Provide assurance to interested parties that information entrusted to the South Australian government is being protected;
• Maintain alignment with information security expectations outlined in legal and regulatory requirements; and
• Maintain alignment with internationally recognised cyber risk management practices.

Annual Attestation: Essential Eight Reporting

The SACSF Guideline 9.0 – Essential Eight: Reporting and use in SA Government sets out the implementation and reporting requirements for SA Government agencies in relation to the Essential Eight. It also provides guidance and resources to support agencies with their Essential Eight obligations.

In May/June each year, SA Government agencies are required to complete an attestation on their security maturity and capability against the SACSF expectations. Reporting Essential Eight maturity is included in the attestation process.

Reporting against the Essential Eight Maturity Model provides a strategic benchmark for SA Government, highlighting improvement and training opportunities, areas of risk, and standardising the reporting approach across Commonwealth, state and territory governments, and industry.

While there is no expectation or requirement that agencies meet a certain maturity level against the Essential Eight, target maturity levels should be considered based on the levels of adversary tradecraft and targeting likely for their environment.

As a minimum, it is recommended that agencies plan to achieve Maturity Level One across all mitigation strategies.

Western Australia

The State Government has implemented The Western Australian Government Cyber Security Policy 2024^[4] (‘The Policy’) to provide a systematic and comprehensive approach to reduce cyber security risk. The Policy specifies which measures in scope entities are required to undertake, to manage and report on their cyber security risks.

In scope entities include agencies defined in the WA Public Sector Management Act (1994), Schedule 1 Entities in the Act, the six Western Australian based Universities and all WA Government Trading Enterprises (GTE’s).

The Policy sets out the baseline capabilities and practices required to align with:

• The Australian Cyber Security Centre’s (ACSC) Essential Eight, Maturity Level One (November 2022);
• Components of the US National institute of Standards and Technology Cyber Security Framework (NIST-CSF v2.0) best practices for reducing cyber security risk.
• The “Further Five” (F5) Mitigation Strategies including Server Application Hardening, Blocking Spoofed Emails, Network Segmentation, Continuous Incident Detection and Response, and Personnel Management, based on the entity’s cyber risk assessment.

While The Policy mandates a minimum set of cyber security measures, entities are required to undertake a cyber security risk assessment to determine if there are additional measures that are necessary to manage risk. These include the ACSC Essential Eight Mitigation Strategies higher than Maturity Level One, the “Further Five” and any applicable ACSC controls. The necessity to implement additional measures is based on the outcome of the cyber security risk assessment (i.e. identification of intolerable risk).

The cyber security risk assessment includes identification, analysis and evaluation of cyber threats with the potential to cause material impact to staff, operations and organisational assets. Entities should utilise their enterprise risk framework to enable consistent use of language, assessment criteria (i.e. likelihood, consequence, appetite and tolerance definitions), assessment steps, documentation requirements, communication requirements and escalation requirements. Cyber security context, known vulnerabilities and threats, critical information and supply chain risk should be considered during the cyber security risk assessment.

In scope entities must submit an Annual Implementation Report (AIR), approved and endorsed by the entity’s Accountable Authority, to provide continuous reporting every calendar year (with AIR submission forms published every fourth quarter of the calendar year). The AIR enables visibility across in scope entities and promotes cyber security capability development across those governed by The Policy.

[4] Western Australian Government Cyber Security Policy (2024) – Available from: https://www.wa.gov.au/system/files/2024-12/wacybersecuritypolicy.pdf