The South Australian Cyber Security Strategic Plan 2018-2021 seeks to safeguard state infrastructure, digital assets and citizen information against the increasing incidence of cybercrime and espionage. This will help deliver more responsible data sharing for social change, better protect the safety and prosperity of South Australians, and enhance the government’s digital engagement with the business community.

The plan sets out the next three year's program of work to transform the South Australian Government into a centre of excellence for cyber security. Consisting of 11 core objectives and 39 activities, the comprehensive strategy comprises three strategic themes: Influence Leadership, Build Resilience and Share Responsibility.

South Australian Cyber Security Strategic Plan 2018-2021 (PDF, 2.4 MB)

Influence Leadership

Strengthen the role of government in providing sound governance and clear accountabilities for a whole of government approach to cyber security.

  • Plan and develop policy frameworks

    Action Success CriteriaStatus
    Develop a South Australian Government Cyber Security Strategic Plan An approved and published South Australian Government Cyber Security Strategic Plan on SA.GOV.AU by January 2018 Complete
    Review the appropriateness and currency of existing cyber security policies for the South Australian Government. Information Security Management Framework (ISMF) 3.2 to be replaced by a simplified ISMF 4.0, and all associated standards and guidelines reviewed and updated by 30 June 2018. Complete
    Deliver Cloud Security standards and guidelines by 30 June 2018. Complete
    Contribute to the delivery of an updated PC030 – Protective Security Management Framework by June 2018. In progress
    Due Q2 2020
    Deliver an updated StateNet Conditions of Connection 4.0 by June 2018. Complete
    Implement a continuous improvement program and report regularly to the Senior Management Council on cyber security progress.

    Six monthly updates provided to Senior Management Council.

    Complete and ongoing

    Strategic Plan reassessed and modified in January 2019.

    Complete

    Regular reporting provided to Emergency Management Council. (NEW)

    Complete and ongoing
  • Lead people and change to improve the culture of cyber security

    Action Success CriteriaStatus
    Deliver employee training and build awareness about information security. An across government cyber and information security employee training and awareness package designed. Delayed but in progress
    Integrate cyber risks within enterprise risk management processes. Cyber and information security risks are included on operational and corporate risk registers and treated as enterprise level risks. Ongoing
    Encourage trust and confidence in online and digital service delivery.

    A reduced number and impact of security incidents related to online and digital delivery of services by January 2019.

    Ongoing
    Full mandatory integration of security considerations in design and implementation of online services. Ongoing
    Support government agencies to ensure employees in positions of trust are appropriately trained and vetted.

    Policy for all SA Government staff employed in positions of trust or working in areas delivering critical services to the state by August 2018.

    In progress
    Linked to Protective Security Management Framework activity
     

    Mandatory personal vetting and security screening implemented at a level appropriate to role prior to employment by August 2018.

    In progress
    Linked to Protective Security Management Framework activity
      Mandatory security training for staff employed in positions of trust by August 2018. In progress
    Linked to Protective Security Management Framework activity
  • Assign government responsibility

    Action Success CriteriaStatus
    Establish an across government Cyber Security Governance Committee. An across government Cyber Security Advisory Sub Committee of the ICT and Digital Governance Board established by January 2018. Complete
    Re-establish the across government IT Security Adviser Forum. Regular ITSA Forums delivered, with improvements to the structure and delivery based on industry and participant feedback by January 2018. Complete
    Develop a cyber security profession career path for SA Government.

    Defined role guidance for across government security personnel designed by March 2018.

    In progress

    An across government mentoring and secondment program established by June 2018.

    In progress and ongoing
    Partnerships with industry and academia established to deliver relevant and suitable training for cyber and information security. In progress and ongoing
    Take an active role in leading and influencing national cyber security initiatives.

    Increased participation by the South Australian Government in membership of relevant boards, committees and bodies in SA, nationally, and internationally.

    Complete

    Support the Joint Cyber Security Centre program and launch of the centre.

    Complete
    Support the Cyber Security Growth Network initiative and launch of the SA node (refer to SR2.1). Complete and ongoing
    Establish an across government Agency Security Executive [ASE] Forum. (NEW) ASE forums held to assist agency ASE’s in delivering their responsibilities under this role. Complete and ongoing
  • Measure cyber security performance

    Action Success CriteriaStatus
    Create a Balance Scorecard for security outcomes.

    Independent across government cyber security assessment undertaken by February 2018.

    Complete
     

    Baselines for cyber security metrics set by February 2018.

    Complete
    Linked to new SA Cyber Security Framework
    Desired state for Cyber Security maturity defined for government agencies by June 2018. Complete
    Linked to new SA Cyber Security Framework
    Support a risk-based prioritisation of government expenditure on cyber security.

    Current levels and patterns of expenditure in cyber security across SA Government assessed.

    Ongoing
    Use of economies of scale through across government procurement of cyber services increased. Ongoing
    Establish Agency Cyber Security budgeting. (NEW) Agency budgeting methodology for funding Cyber Security initiatives reviewed with guidance provided to agencies to support procurement of cyber security services and capabilities. Ongoing
    Define the desired state for Cyber Security maturity in government agencies. (NEW) An across government maturity level is set as a benchmark for all SA Government agencies, aligning to the Top 10 Cyber Resilience and Preparedness Objective Maturity Model. (refer to action -  Deliver the ongoing SA Government Top Ten Cyber Resilience and Preparedness Objectives work program.) In progress
    Linked to new SA Cyber Security Framework
    Integrate cyber risk into agency risk framework. (NEW) A Cyber risk appetite model is developed and agreed, and each agency agree their own risk appetite statement for cyber security. Complete

Build Resilience

Strengthen the approach to the prevention of, detection of, response to and recovery from cyber security threats and incidents.

  • Prevent and prepare

    Action Success CriteriaStatus

    Continue to develop the SA Government’s cyber resilience position.

    Independent Cyber Resilience Review undertaken by February 2018 (refer to action - Create a Balance Scorecard for security outcomes).

    Complete
    Participation in Australian Government Cyber Resilience activities to ensure alignment with state and national activities. Ongoing
    Deliver the ongoing SA Government Top Ten Cyber Resilience and Preparedness Objectives work program. Top 10 Cyber Resilience and Preparedness Objectives Maturity Model reviewed and evaluated to move from a compliance model to a prescriptive roadmap and planning model and updated in line with revised ISMF. In progress - being reviewed
    Develop a whole of government approach for the management of contractual cyber security risks. Whole of government approach developed, including standard contract clauses by June 2018. In progress
    Linked to new SA Cyber Security Framework
    Develop an external/internal vulnerability scanning and assessment capability. Full program implementation and business process established by January 2020. Complete
    Capability to be delivered by the SA Node Testing Range
    Consciously consider emerging cyber threats in the development of intelligence products. Watch Desk continues to develop its holistic threat intelligence capability. Ongoing

    Watch Desk provides timely and accurate cyber threat and intelligence information with regular feedback sought from stakeholders.

    Ongoing
    Delivery of the threat intelligence sharing platforms (refer to action - Deploy a Threat Intelligence Platform for use by all government agencies) Ongoing
    Improve security and policy control measures for areas of high risk, including critical infrastructure.

    Current security and policy control measures for high risk systems re-examined, with implementation of improvement measures commencing.

    Ongoing
    State Government Critical ICT Infrastructure program redeveloped. Ongoing
    Develop a cyber security ‘Marketplace’ or ‘Kiosk’. Economies of scale achieved through across government procurement of essential cyber security tools/services by July 2018. Strong progress but delayed

    Undertake regular cyber crisis planning, preparedness and response exercises with government and industry partners.

    An annual training program delivered each year.

    Complete and ongoing
    Cyber Terrorism exercise (funded by Australia-New Zealand Counter Terrorism Committee) undertaken. Ongoing
  • Respond and recover

    Action Success CriteriaStatus
    Enhance cyber security incident and crisis management arrangements to improve alignment with Commonwealth, State Crisis and Emergency Management arrangements.

    DPC in conjunction with CERT Australia undertake cyber security exercises for SEMC, DPC Control Agency for ICT Failure, and agency ITSAs by January 2018.

    Complete        

    SA Government response arrangements aligned with the Australian Government cyber crisis management arrangements by June 2018.

    Ongoing
    Establishment of Telecoms Sector Governance Forum to support emergency response capability. (NEW) Complete
    Review cyber insurance arrangements for government. Cyber Insurance arrangements reviewed by June 2018. Complete
    Create systems and processes for resource pooling for significant cyber security incident responses.

    Implementation of cyber security resources for the management of significant cyber security incident responses by May 2018, taking into account all skillsets required (i.e. more than just cyber security experts).

    Ongoing
    SA Communications Sector Forum’s capability and capacity developed through awareness raising exercises by May 2018. Complete
  • Grow

    Action Success CriteriaStatus
    Document and share lessons learned from significant cyber security incidents to promote cross-sector collaboration. Formal collaboration tools used by security community for inter-agency sharing of lessons are reviewed and agencies increase their utilisation by December 2018. Ongoing
    Establish uniformity of cyber security resourcing across the public sector to ensure adequate resourcing. Cyber Security Workforce Framework developed by December 2018. Strong progress
    Linked to Cyber Security Traineeships

Share Responsibility

Cultivate a collaborative approach that brings together all levels of government with academia and the private sector to cyber security.

  • Share knowledge and threat intelligence

    Action Success CriteriaStatus
    Deploy a Threat Intelligence Platform for use by all government agencies.

    Cyber Threat Intelligence Sharing Toolkit deployed for agency use by January 2018.

    Complete
    Toolkit deployed for private sector partners by June 2018. Updated approach

    Continue to develop the Watch Desk facility as a respected and leading incident detection,  response and advisory group for across government.

    Watch Desk facility reviewed, and improvement plan implemented by June 2018. Complete
  • Develop partnerships

    Action Success CriteriaStatus
    Support the establishment of the SA Node of AustCyber. SA Node established by January 2018. Complete        
    Support the establishment of the Joint Cyber Security Centre in Adelaide by the Australian Government. Joint Cyber Security Centre established and operating in SA by March 2018 with support from SA Government personnel. Complete        
    Establish strong and improved engagement programs and partnerships with industry.

    Partnerships and engagement programs established and continuously improved to achieve optimal outcomes for stakeholders.

    Ongoing

    Ongoing support for the work of the Australian Government Critical Infrastructure Centre.

    Ongoing
    Ongoing support for the Trusted Information Sharing Network model, including participation in appropriate governance groups and involvement in exercises and training. Ongoing
    Establish partnerships with academia to ensure suitable education and training is available within SA for cyber security skills growth.

    Partnerships and engagement programs established and continuously improved to achieve optimal outcomes for stakeholders.

    Ongoing
    Examine support for the Cyber Security Cooperative Research Centre, with potential opportunities identified by June 2018. Complete
    Strengthen and enhance cyber security resilience of South Australia through improved engagement programs and collaboration of resources. (NEW) Growth and innovation in cyber security with industries delivered through involvement with industry bodies and other government initiatives such as the Adelaide Joint Cyber Security Centre (JCSC), Lot 14, Defence SA, AustCyber and Regional Council of Bretagne. Ongoing
    Integrating with ACSC/JCSC national collaboration and threat sharing tools. Updated approach
    Support the growth of the South Australian cyber security industry. (NEW) AustCyber SA Node supported to deliver the activities within South Australia. Ongoing
  • Build capability

    Action Success CriteriaStatus
    Ensure an agile future resource capability by providing appropriate skills training. Identify common security roles with appropriate salary streams as guidance for agencies to ensure a uniform approach to security resourcing across the public sector and to assist with the attraction and retention of skilled staff within the state’s Cyber Security workforce by 31 December 2018. Strong progress
    Establish a leading Cyber Security Operations Centre.

    Review the options available for a State Cyber Security Operations Centre and report to the ICT and Digital Governance Board.

    Complete        
    State Cyber Security Operations Centre established. Due June 2021

    Research and provide common services and tools for cyber security for use by government and non-government stakeholders.

    Appropriate across government Cyber Security services and tools developed and endorsed by stakeholders. Strong progress
    Facilitate growth and innovation in cyber security with other industries. Areas (e.g. automation, artificial intelligence, cognitive computing, robotics) in which the state can facilitate growth and innovation identified during 2018 to 2021. Ongoing
    Develop a cyber security pathway and promote cyber security as a career path. (NEW)

    Establish the new Certificate IV in Cyber Security Traineeship pathway for State Government.

    Complete

    Support initiatives such as South Australian Cyber ‘Schools Challenge’ to increase student participation in Cyber Security.

    Complete
    Work with SACE Board and Department of Education to develop Cyber Security as a core curriculum subject. In progress
  • Assess societal impacts

    Action Success CriteriaProgress
    Extend cyber security awareness to citizens via media and community engagement to create a valued cyber security conscious state.

    Public media campaign established.

    Ongoing
    Multi-year media and public relations campaign considered for launch in 2019. Updated approach
    Support community programs to raise awareness about the impact of emerging risks, vulnerabilities and developing resilience.

    Cyber security information regularly given to citizens via SA.GOV.AU.

    Ongoing

    Regular drop in sessions for the public to ask cyber- related questions provided by 2019.

    Updated approach
    The SA Government’s community resilience strategy to include cyber threats, and the reliance on ICT. Ongoing
    Include cyber security threats in the government’s emergency management public awareness campaigns.

    Inclusion of cyber security incidents on the ‘emergencies and safety’ section of SA.GOV.AU.

    Complete
    Cyber security threats promoted at the State Emergency Management Committee via regular briefings and provision of security threat reports. Complete

Progress report

The Cyber Security Strategic Plan Progress Report, outlines the activities being undertaken to implement the strategy and to show the progress made.

Cyber Security Strategic Plan Progress Report (PDF, 3.2 MB)