09/02/2021

Choosing a cyber security standard

In a digital world, cyber security is a priority for all industry sectors. Organisations and their service providers are looking to standards as a means of mitigating risks and ensuring they are meeting best practice. However, the approach to developing and adopting standards has to date been piecemeal and inconsistent both within industry sectors and across the economy, making it difficult for organisations to know which standards to adopt. When compared with other industry standards like those in the construction sector, cyber security standards are still in a state of relative infancy (see our previous article 'Australia’s Cyber Security Strategy 2020: What you need to know'.

A taskforce established by the NSW Government set about tackling this issue and recently handed down its recommendations.

NSW Cyber Security Standards Harmonisation Taskforce

The NSW Cyber Security Standards Harmonisation Taskforce was formed for the purpose of accelerating the adoption of industry standards for cyber security. A result of collaboration by NSW Government, AustCyber and Standards Australia, the Taskforce included experts from many industry sectors, including defence, energy, financial services and telecommunications. Through collating best-practice standards, the Taskforce aimed to help deliver ‘a consistent, industry-focused framework for NSW’, which would spearhead rapid adoption of consistent and internationally recognised standards for the rest of Australia. 

In June 2020, the NSW Minister for Customer Service identified five key focuses for the Taskforce:

  • Improving the practice of cyber security across Australian businesses
  • Harmonising baseline standards and providing clarity for sector-specific additional standards and guidance
  • Enhancing competitiveness standards by sector for both suppliers and consumers
  • Providing greater interoperability
  • Supporting Australian cyber security companies to seize opportunities and go global.

The Taskforce released its Recommendations Report, providing insights both generally and with regards to specific sectors.

Harmonisation Taskforce: 3 recommendations

The Taskforce makes three high level recommendations in its report – steering clear of definitively choosing or even contrasting the different applicable standards but instead proposing further work that is required:

  • The Taskforce recommends new practical guidance material be produced, with a recommendation that such guidance is produced by industry sector. While the Taskforce does not give details of the contents of such guidance, it suggests that it could provide direction for organisations on how to select between, and implement, appropriate standards.
  • The Taskforce recommends the revision of certain standards, including in industries where cyber security has not been a traditional focus area.
  • The Taskforce recommends the use of standards in policy and regulation, provided it is in a considered manner. This is contrasted with the often times “principles-based” approach to regulation which does not mandate a particular standard. However, the report notes the challenges of this (particularly costs that may result for organisations if standards are mandated) and states that merely referencing standards may also be beneficial.

The report also makes industry-specific recommendations across seven sectors. The extent to which clear direction is provided as to which standards are to be preferred differs between sectors.

Sector

Key recommendations

Cloud platforms (which the report refers to the ‘digital backbone’).

Australian governments should adopt ISO and/or IEC standards as a baseline.

For information classified as “PROTECTED”, Australian governments should mandate ISO/IEC 27001, SOC 2 and potentially FedRAMP (which is a US Government program).

Working with Standards Australia, guidance material should be produced on the benefits of adopting standards and categorising particular standards for certain settings.

Defence

Australian government should explore alignment with the US Government’s Cyber security Maturity Model Certification (CMMC).

Australian governments should produce material communicating the benefits and challenges of complying with international standards.

An interim standard or technical specification regarding the development of information security strategies should be established.

Australian businesses and governments should consider adoption of the security and resilience standard ISO:22340.

Cyber security should be better considered in procurement, sustainment and supply chain activities.

Education

Guidance materials should be produced, highlighting different risk-based frameworks that exist.

The education sector should develop a technical specification for the reporting of cyber vulnerabilities.

The education sector handbook, HB 167:2006 should be updated to reflect current approaches to cyber security.

Energy

Guidance materials should be produced communicating the benefits of cyber security practices in the energy sector.

Financial Services

Australian governments should consider formally participating in the development of the ISO/IEC 27000 suite of standards.

Better guidance materials for PCI-DSS should be produced.

The treatment and approach to the Consumer Data Right (CDR) should be considered.

Health

Guidance material should be developed to communicate the benefits of using international standards to meet legal and regulatory requirements.

Future guidance by Australian governments should take a maturity-based approach, which takes into consideration an entity’s size.

Australian governments should consider providing additional support to market entrants to improve access to certification and adoption of standards.

Telecommunications and IoT

Cyber security issues should be expressly considered in the development of government policy documents and directives.

Government procurement should favour organisations with strong cyber security practices.

The Australian government should consider convening a working party to consider IoT issues and the adoption of cyber security standards.

Next Steps for the NSW Cyber Security Standards Harmonisation Taskforce

The recommendations of the Taskforce scratch the surface of what is a complex topic. Rather than recommending particular standards or providing a basis for making such a selection, the report in the main recommends further guidance be produced and other areas for focus.

In the report and press releases provided by Taskforce members Standards Australia and AustCyber, the Taskforce has stated that is will now develop a publicly accessible list of standards relating to cyber security. The list will cover the seven priority sectors recognised in the report and will include a website which communicates the business benefits associated with adopting those standards. Ultimately, the Taskforce intends for this list to guide boards, executives and relevant decision-makers of organisations, who through adopting the standards will embed the work of the Taskforce into the economy.

 

Authors: Alice Durham, Mark Ferguson, Lesley Sutton

""