Photo via Computerworld Australia
Victoria's government today unveiled the state's first cyber security strategy. At the heart of the strategy is a shift to a whole-of-government approach for information security.
The state government signed off on the strategy earlier this year and began the process of recruiting a chief information security officer (CISO) to oversee its implementation.
A state government Network and Cyber Security Statement of Direction was issued in August 2016 following the launch last year of a new ICT strategy for the state. New South Wales, Tasmania and South Australiaalso recently established CISO positions to boost information security efforts.
Victoria's CISO will sit within the Department of Premier and Cabinet.
DPC's security efforts will continue to receive support from a whole-of-government Information Security Advisory Group, which is a subcommittee of the Chief Information Officers Leadership Group.
The government CISO "will oversee government's response to the cyber threat, develop best practice, provide assurance, report internally on our cyber security status, and coordinate cross-government action," states the new strategy document (PDF).
"The CISO will not replace the individual responses and accountability within each government agency to address risks in the cyber landscape, nor will it assume responsibility within these agencies to address the standards issued by the Office of the Victorian Information Commissioner," the strategy states.
"Rather, the CISO will coordinate cross-government responses in those areas where a whole-of-government approach is preferable, more efficient and will provide better security outcomes than individual approaches - for example, the creation of whole-of-government cyber services, capabilities, reporting, executive engagement, and information dissemination."
The CISO will be backed by a staffed unit within DPC.
Another key initiative outlined in the strategy is the development of clearer "cyber emergency" governance arrangements. That work will be undertaken in consultation with Emergency Management Victoria and seek to ensure that "cyber threats" are one of the emergency risks considered by the owners and operators of critical infrastructure in the state.
The strategy envisages greater efforts to build partnerships both across government and with the private sector. As part of this, the Cyber Security Strategy Group, which launched in August 2016, is working on developing an intelligence-sharing mechanism with a deadline of October this year.
In addition, a procurement panel will be established by June next year to access private sector cyber security services.
Procurement of some services will continue at the department and agency level; however, the strategy states that procurement of some security services on a whole-of-government basis makes sense.
Sign up for CIO Asia eNewsletters.