The Victorian government released its first ever Cyber Security Strategy to ensure government services and information are kept safe from cyber threats.
The Cyber Security Strategy shifts from an agency by agency approach, to a whole-of-government approach, as the government seeks to sustain strong and resilient cyber security defences that protect the delivery of public services in Victoria.
The strategy builds on the principles of being collaborative, enabling, proven, scalable, proportional and sustainable. The strategy has 23 points and is organised under five priorities of engagement, planning, partnering, service maturity and capability.
Engagement
As part of the Cyber Security Strategy, the government will appoint a Chief Information Security Officer (CISO) within the Department of Premier and Cabinet (DPC) by next month to oversee the government response to the ongoing cyber threats and co-ordinate cross government action
The CISO will not replace the individual responses and accountability within each government agency to address risks in the cyber landscape, nor will it assume responsibility within these agencies to address the standards issued by the Office of the Victorian Information Commissioner. Rather, the CISO will coordinate cross-government responses in those areas where a whole-of-government approach is preferable, more efficient and will provide better security outcomes.
A quarterly cyber security briefing and status report will be developed and presented to the Victorian Secretaries Board and the State Crisis and Resilience Committee every 3 months, from September 2017. A communication and engagement program for cyber security awareness within government will be operated from December 2017.
Planning
The government will develop cyber emergency governance arrangements with Emergency Management Victoria (EMV[1]) by October 2017, so that risks are better understood and planned for, as part of ongoing work to protect government assets and services.
The government will identify and promote common cyber security services that can be accessed and shared and undertake cyber security operational health check every 12 months, starting from March 2018 and June 2018 respectively. An ICS (industrial control systems)/ SCADA (supervisory control and data acquisition system) cyber security working group will be formed by September 2017, reporting ultimately to the State Crisis and Resilience Council. The group will develop and implement a three year multi-agency cyber security exercising program to build resilience, readiness, and capability.
Partnering
Partnerships will be strengthened across all levels of government and the private sector to share best practice, intelligence and insights.
In conjunction with Victorian Managed Insurance Authority (VMIA[2]), the government will identify high inherent risk in small and medium sized entities and establish a cyber capability uplift program including cyber security training, educational events, programs, and seminars.
The state government will also work with CERT Australia, the national computer emergency response team, to align with the National Cyber Security Exercise Program initiative stemming from Australia’s Cyber Security Strategy.
The government is in the process of establishing a Victorian Government information sharing and incident response service comprising of contract arrangements and appropriate onsite service provider. It is expected to be ready by September 2017.
Whole-of-government subscriptions for internet security and information security services will be established (by September 2017) and an integrated and federated Security Operations Centre model and implementation plan will be developed (by February 2018).
Capability
The government will develop a workforce plan by March 2018 to attract, develop and retain skilled cyber security public sector workers.
The strategy builds on the work being undertaken by the Labor Government to ensure Victoria has the best new digital technology to deliver the modern services expected by the community and that these services and the citizen data they contain are resilient against cyber-attacks.
Special Minister of State, Gavin Jennings, joined experts and IT industry representatives today to launch Victoria’s Cyber Security Strategy. He said, “As organised crime and others become more sophisticated in hacking and disrupting digital services, it’s crucial government steps up to better protect against these cyber security threats. Victoria’s first ever Cyber Security Strategy ensures we can stay ahead of the cyber criminals and develop the infrastructure, systems and processes needed to protect government services and information.”
Minister for Small Business, Innovation and Trade, Philip Dalidakis, said, “Victoria is already a hub of digital innovation, so it makes sense that we use our existing tech knowledge and talent pool to be a hub of cyber security as well. The cyber security industry is growing quickly and will surpass $100 billion in value in the next few years. It’s an industry that will create jobs and boost our economy and we need to be a big part of it.”
Recent months have seen announcement of the establishment of CSIRO’s Data61 Cybersecurity Innovation Hub, the Oceania Cyber Security Centre, the collaboration with Oxford University’s Global Cyber Security Capability Centre, and a Melbourne-based node of the Commonwealth Government’s Cyber Growth Centre in Victoria.
[2] VMIA provides insurance against damage to state assets or liabilities to third parties arising from cyber incidents.