Australian governments and industry should adopt international cyber security standards to enhance cyber resilience while realising an array of additional benefits, according to a new report from the NSW Standards Harmonisation Taskforce.
The taskforce — a collaborative effort between the NSW government, AustCyber and Standards Australia — aims to address evolving cyber security risks through the adoption and use of common standards.
The report has highlighted key areas for standards development and implementation, and presents a number of recommendations related to seven key industries: cloud, health, defence, education, financial services, energy, and telecommunications and the internet of things (IoT).
Broadly, the taskforce has called for clear guidance material across all sectors, including on how to select and implement standards.
“The quality and volume of guidance material on implementation of specific standards needs to improve. This includes how the material maps to government frameworks (existing or proposed),” it said.
Throughout the paper the taskforce has encouraged the leveraging of recognised international cyber security standards, adding that there are many to choose from.
In regard to cloud platforms, which the taskforce has described as the “digital backbone”, providers already use a range of recognised international standards and meet an array of legal requirements across borders, the report noted.
“Specifying and leveraging commonly used, and globally recognised, standards is essential to ensuring the benefits of cloud are realised and maturity horizons for security are met,” it said.
“Australian government agencies, as well as private sector partners, can leverage these international standards (and existing conformance testing and certification processes) to specify requirements, streamlining compliance and reducing costs for government and customers alike.”
Governments and industry should be careful to factor-in how standards are to be used, for what purposes, and in relation to specific public policy requirements, the report said.
“This might include consideration of the relative merits of principles-based approaches, attestation, certification and how development, adoption or use of standards might impact supply chains or procurement behaviour,” it said.
In regard to telecommunications and IoT, the report recommended governments “require agencies to explicitly consider cyber security considerations, including recognised standards”, when creating new digital policy documents and directives.
“This might, for example, be prior to cabinet or expenditure review committee consideration,” it said.
Governments should also explore mechanisms such as prioritising proposals or tender bids that demonstrate compliance with recognised international standards or codes.
Standards are not a panacea, but they can assist in guiding baseline cyber security requirements when combined with the latest advances in technology, and embedded across global supply chains, according to AustCyber CEO Michelle Price.
“This will help raise the posture of small-to-medium enterprise, organisations and government agencies to compete in the Australian market and internationally,” she said.
“Ultimately, a globally competitive Australian cyber security sector will underpin the future success of every industry in the national economy.”
The taskforce is made up of industry leaders, and representatives from government and business. It began its work in June 2020, and is currently developing a publicly accessible list of standards relating to cyber security that span the seven priority sectors outlined in the report.
NSW chief cyber security officer and executive director of Cyber Security NSW Tony Chapman said the taskforce’s “invaluable” work in mapping standards in the cyber security space would help government and business build cyber resilience.
“Access to this type of information can assist businesses and government agencies with identifying how they might leverage standards to improve their cyber security and also position themselves to meet contractual requirements locally and internationally,” he said.
Read more: NSW government creates cyber taskforce