Government agencies should adopt global cyber security standards, a report by a group of industry experts recommends.

The NSW Standards Harmonisation Taskforce released its final report on Thursday.

The report says cloud platforms are increasingly essential to governments for building micro-services and allowing for cost-effective scaling.

“Specifying and leveraging commonly used, and globally recognised, standards is essential to ensuring the benefits of cloud are realised and maturity horizons for security are met,” the taskforce says.

“Australian government agencies … can leverage these international standards (and existing conformance testing and certification processes) to specify requirements, streamlining compliance and reducing costs for government and customers alike.”

Standardisation can also help smaller, locally based cyber security companies access government procurement, it says.

The Taskforce, established last June, is the result of a collaboration between the NSW Government, AustCyber and Standards Australia set up last June to accelerate the adoption of industry standards for cyber security.

NSW Chief Cyber Security Officer and Executive Director of Cyber Security NSW Tony Chapman said the Taskforce’s report would help build cyber resilience within government.

“The work of the Taskforce in mapping standards in the complex cyber security space will be invaluable to government and business, providing further direction to build cyber resilience,” Mr Chapman said.

“Access to this type of information can assist businesses and government agencies with identifying how they might leverage standards to improve their cyber security and also position themselves to meet contractual requirements locally and internationally.”

The work of the Taskforce complements the existing NSW Cyber Security Policy, he said.

Not a panacea

The report says Australian governments should adopt International Organisation for Standardisation (ISO) and/ or International Electrotechnical Commission (IEC) standards as baseline requirements for information security, protective security and supply chain security and risk management for regulatory frameworks and procurement models.

Australian governments, in relation to any new proposed cloud security requirements for services up to, and including, PROTECTED level, should consider a combination of compliance with ISO/IEC 27001, SOC 2 and potentially FedRAMP2 as part of a uniform security baseline.

The taskforce says the report isn’t meant to imply that standards are a panacea to the risks inherent in an increasingly digitised world.

“Rather, used in combination with the latest advances in technology, and embedded across global supply chains, they can assist in raising the cyber security posture of a government agency,” they say.

The Taskforce says in early 2021 it will provide a publicly accessible list of standards relating to cyber security setting out legal and regulatory requirements across specific sectors.

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at editorial@governmentnews.com.au.  

Sign up to the Government News newsletter