NSW’s Department of Planning and Environment has created a new information security function as part of an ongoing cyber security uplift. The new function, which sits within the department’s digital information office, was revealed in a job advertisement for a chief information security officer earlier this month. The new CISO will “take ownership in setting up” the function, including a new security operating model, and will “deliver a high-end cyber security programme across the department”.
Planning and Environment is one of several government clusters to have been allocated funding from the Digital Restart Fund (DRF) to uplift cyber security following a series of damning audits. Last financial year, it received just over $1 million to begin the uplift, which focused on remediating existing cyber security issues where the solution is known, according to the DRF annual report. A further $3.9 million is expected to be released from the fund ahead of the expected completion of the uplift in May 2022.
A spokesperson stated that the information security function had been created to protect the department from cyber attacks. The spokesperson noted that as one of the largest departments in the NSW government, it is important that they stay abreast of the latest technologies and information to protect our customers and staff from potential cyber-attacks.
The NSW government’s DRF is supporting improved processes, systems and resourcing to further strengthen their cyber security measures. The incoming CISO will provide advice to the Chief Digital And Information Officer as well as directly to the Secretary.
The department expects the executive will have a “proven track record in successfully leading a large cyber security function within a complex organisation”, according to the job advertisement. Planning and Environment is the latest government department to create or restructure cyber security functions in recent months. In July 2021, the Department of Customer Service appointed a new CISO to lead its expanded cyber security function.
Enhancing Australia’s cybersecurity
The federal government has begun consulting with industry on the aspects of its proposed critical infrastructure security laws that it was forced to sideline to pass urgent cyber incident intervention powers. The Home Affairs Minister released an exposure draft of the Security Legislation (Critical Infrastructure Protection) Bill, which she described as the “next step” in the government’s critical infrastructure reforms.
The SLCIP bill is the result of a Parliamentary Joint Committee on Intelligence and Security (PJCIS) decision to split the Security Legislation Amendment (Critical Infrastructure) Bill in half to “swiftly” legislate the most pressing reforms.
A cut-down version of the bill containing last resort powers that would allow the government to intervene to contain a cyberattack on critical infrastructure passed after being reintroduced to parliament last month. That bill also expanded the definition of critical infrastructure to a further 11 sectors, including data storage or processing, financial services and healthcare, and introduced cyber incident reporting obligations.
The SLCIP bill now out for consultation captures the “less urgent measures” that were removed from the original bill and also takes into account suggested amendments from both industry and the PJCIS report. One such reform is the introduction of enhanced cyber security obligations for the “significantly smaller subset critical infrastructure assets” that the government deems as “systems of national significance”.
The bill would give the Home Affairs Minister of the day the “ability to privately declare a critical infrastructure asset to be a system of national significance” if Australia’s national interest is likely to be impacted as a result of a cyber attack against that operator. Assets classed as systems of national significance may be required to “undertake more prescribed cyber security activities” such as cyber security exercises and vulnerability assessments to boost preparedness and remediate issues.