Victorian Legal Services Board and Commissioner Minimum Cybersecurity Expectations

The Minimum Cybersecurity Expectations helps Australia Victorian law practices protect their clients’ data and meet their legal and ethical obligations. Law practice principals should use The Minimum Cybersecurity Expectations as a guide to the basic system and behavioural controls that need to be implemented.

Overview

The Minimum Cybersecurity Expectations help law practices protect their clients’ data and meet their legal and ethical obligations, They also list examples of unacceptable cybersecurity practices that The Victorian Legal Services Board and Commissioner consider capable of amounting to unsatisfactory professional conduct (UPC) or professional misconduct (PM). Law practice principals should use The Minimum Cybersecurity Expectations as a guide to the basic system and behavioural controls you need to implement. This includes the critical system controls without which your practice is most vulnerable. If there are any security update critical controls that you are yet to implement, these should be your highest priority.s.

Purpose

Strong cyber security is an important component of the NSW Beyond Digital Strategy, enabling the effective use of emerging technologies and ensuring confidence in the services provided by NSW Local Government. Cyber security covers all measures used to protect systems – and information processed, stored or communicated on these systems – from compromise of confidentiality, integrity and availability. Councils should establish effective cyber security policies and procedures and embed cyber security into risk management practices and assurance processes. When cyber security risk management is done well, it reinforces organisational resilience, making entities aware of their risks and helps them make informed decisions in managing those risks. This should be complemented with meaningful training, communications and support across all levels of the Council.

Purpose

The NSW Cyber Security Policy applies to all NSW Government departments and public service agencies, including statutory authorities, and all NSW Government entities that submit an annual report to a Secretary of a lead department or portfolio, direct to a Minister or direct to the Premier. In this policy, references to “lead portfolio departments” or “portfolios” mean the departments listed in Part 1, Schedule 1 of the Government Sector Employment Act 2013.2 The term “agency” is used to refer to any or all NSW Government departments, public service agencies and statutory authorities. References to employees and contractors applies to people who have access to NSW Government systems and/or information and communications technology (ICT). The NSW Cyber Security Policy applies to: information, data and digital assets created and managed by the NSW public sector, including outsourced information, data and digital assets; ICT systems managed, owned or shared by the NSW public sector, including cloud services and operational technology (OT) and Internet of Things (IoT) devices that handle government data, government-held citizen data or provide government services.

Purpose

System controls and behavioural controls are two types of cybersecurity measures to protect information systems and data: System controls encompass the technical safeguards implemented within an organisation’s information systems to protect against external threats and vulnerabilities. Behavioural controls focus on influencing and regulating human behaviour to minimise security risks. Both types of controls work together to protect your law practice from any potential security threats. Many of them will be straightforward for individuals to implement (e.g. turning on automatic software updates). However, you also need to consider whether your practice requires additional security measures, based on its size and capability, the type of work you perform, and the nature and location of your clients.

Purpose

The Office of the Australian Information Commissioner (OAIC) will refer to this guide when undertaking its Privacy Act functions, including when investigating whether an entity has complied with its personal information security obligations (s 40) or when undertaking an assessment (s 33C). Information on when and how we might exercise our regulatory powers is available in the OAIC’s Privacy regulatory action policy.

Principles

SOC 2 reports are unique to each organization, reflecting the specific business practices and the services they provide. However, the framework is built around five trust service principles: 1) Security: The system is protected against unauthorized access (both physical and logical). 2) Availability: The system is available for operation and use as committed or agreed. 3) Processing Integrity: System processing is complete, valid, accurate, timely, and authorized. 4) Confidentiality: Information designated as confidential is protected as committed or agreed. and 5) Privacy: Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice. Organizations can choose which of these principles are relevant to their business and will be included in the SOC 2 report. The auditing process for a SOC 2 certification requires companies to establish and follow strict information security policies and procedures, encompassing the security, processing integrity, and confidentiality of customer data. The result of the audit is a detailed report that includes the auditor’s opinion on the effectiveness of the controls in place related to the trust service principles.

Details

ISO 27001 sets out the specification for an information security management system (ISMS) and consists of two parts: 1. The first part includes mandatory requirements that focus on ensuring an Information Security Management System (ISMS) has been developed. An ISMS includes a range of policies and supporting standards, objectives, resource support and governance programs such as reviewing security controls, managing non-compliance and ensuring continual improvement. This part has a strong focus on ensuring board and top level management provide approach support to the ISMS. 2. The second part is called Annex A or 27002 and this is list of controls that are used by auditors to measure an organisation when applying for certification. An organisation will stipulate which controls are in scope of their ISMS, during the audit process in a document called the Statement of Applicability (SoA), typically most are.

Get certified

Businesses can self assess themselves using the Assessment process in Assuredly for Tiers 1-3 and get certified. Once complete businesses can request certification without needing to engage an independent auditor. The certification is built around five areas of focus that each have a set of requirements. The areas of focus are: 1. Technology Management 2. Access Management 3. Backup & Recovery 4. Policies, Plans, & Procedures 5. Education & Training

Background

The health check is a pragmatic approach to assessing the most basic controls in an organisation before they embark on standards which require significant time and investment.

Maturity Levels

Maturity Level 1 - ASD state that generally, Maturity Level One may be suitable for small to medium enterprises. The focus of this maturity level is to put in place the key controls to combat against adversaries who are looking for any victim rather than a specific victim. Maturity Level 2 - ASD state that generally, Maturity Level Two may be suitable for large enterprises. The focus of this maturity level is to enhance controls for companies who have valuable enough data or market presences that makes investment by threat actors in developing tools and deploying more advanced techniques worthwhile. Maturity Level 3 - ASD state that generally, Maturity Level Three may be suitable for critical infrastructure providers and other organisations that operate in high threat environments. The focus of this maturity level is to enhance controls for companies who have valuable enough data or market presence where threat actors are a significant concern and are likely to be deploying adaptive techniques.

Practice Areas

NIST CSF was primarily created to help US federal agencies and organisations better manage their risk. NIST CSF is a set of just over 100 requirements that cover a broad range of practice areas. Compliance with NIST CSF can ease the way to compliance with other security frameworks including the Payment Card Industry Data Security Standard (PCI DSS) and IT general controls for Sarbanes-Oxley Act (SOX). NIST CSF is a sub-set of NIST 800-53 which are security rules that cover 18 areas, including access control, incident response, business continuity and disaster recovery.

More Information

Councils are increasingly dependent on digital technologies and are a target for state-based, criminal and activist threat actors. A cyber-attack or incident has a risk of major disruption to services and operations, with genuine risk to critical infrastructure and services. Strong cyber security enables the effective use of emerging technologies and ensures confidence in the services provided by NSW local governments. The Guidelines should form the basis of an internally developed cyber security policy for individual NSW councils. Cyber Security NSW does not offer funding assistance for the implementation of the Guidelines or other cyber security maturity uplift.

Reporting Requirements

By 31 October each year, Cyber Security NSW must be provided with a report for each agency, either via the portfolio CISO or directly to Cyber Security NSW. Reporting must include: a) an assurance assessment against all Mandatory Requirements in the NSW Cyber Security Policy for the previous financial year, b) cyber security risks with a residual rating of high or extreme; and c) an attestation on cyber security. If an agency does not have any high or extreme residual cyber risks, they can provide a response of “not applicable”. Residual risks must be tracked and managed in a risk register and reviewed in accordance with the agency’s enterprise risk management framework. Risks exceeding the risk appetite and risk tolerance must be escalated to the Agency Head, or authorised officer who is responsible for risk acceptance.

Included

The Minimum Cybersecurity Expectations set out Critical controls, System controls and Behavioural controls. Critical system controls are deemed to be controls that without your practice is most vulnerable. If there are any critical controls that you are yet to implement, these should be your highest priority. System controls encompass the technical safeguards implemented within an organisation's information systems to protect against external threats and vulnerabilities. Behavioural controls focus on influencing and regulating human behaviour to minimise security risks.

Included

Part A discusses five general circumstances that affect what steps an entity should take to protect personal information. Under nine broad topics, Part B outlines examples of key steps and strategies you should consider taking to protect personal information including a number of questions you should ask yourself when considering or implementing these steps or strategies.

Types of Reports

There are two types of SOC 2 reports: Type I reports on a service organization's systems and the suitability of the design of controls at a specific point in time. Type II reports on the effectiveness of these controls over a period, typically a minimum of six months. SOC 2 compliance is not a one-time event but an ongoing process that requires regular audits to maintain. It's seen as a benchmark in the industry, providing assurance to clients and partners that a service organisation has implemented robust controls to protect their data in accordance with industry best practices.

Updates

In 2022, 12 changes were made to the mandatory ISO 27001 requirements including the addition of one new requirement. In Annex A 27002 there are 7 new controls and 7 have been scrapped, a number of controls have been merged and some definitions have changed. The ISO 27001 standard also sets out mandatory requirements for setting information security objectives, ensuring necessary support for the ISMS such as providing resources and training, protecting relating documents and requiring an overall evaluation of the ISMS is implemented. Evaluation includes monitoring, analysis, auditing, management review and continual improvement. It is expected that an information security management system implementation will be scaled in accordance with the needs of the organisation.

Principles

Principles of SMB1001 are that they are: Updated annually by a steering committee comprising of experts from public and private sector. 5 levels of requirements are updated to latest cyber threats, for the right organisational profile Affordable (Level 1 certification starts from only AUD 95) Allows SMBs to align to multiple standards as they progress up the levels (e.g. ASD Essential 8, UK Cyber Essentials, CMMC Level 1) – 1 certification to cover all standards. Easy-to-understand language. Encourages directors to take ownership of cyber (aligning to government expectations). Certifiable, requiring an annual recertification (i.e. an annual vaccination against latest threats).

Practice Areas

When looking at standards from across all sectors and industries common practice areas are found. The health check covers the most commonly required controls in each of the 16 practice areas.

History

The Essential Eight Maturity Model, first published in June 2017 and updated regularly, supports the implementation of the Essential Eight. It is based on ASD’s experience in producing cyber threat intelligence, responding to cyber security incidents, conducting penetration testing and assisting organisations to implement the Essential Eight. When implementing the Essential Eight, organisations should identify and plan for a target maturity level suitable for their environment. Organisations should then progressively implement each maturity level until that target is achieved. As the mitigation strategies that constitute the Essential Eight have been designed to complement each other, and to provide coverage of various cyber threats, organisations should plan their implementation to achieve the same maturity level across all eight mitigation strategies before moving onto higher maturity levels.

NIST 800-53

Implementing the security controls needed to comply with NIST 800-53 brings entities and their technology products or services in line with the U.S Federal Information Security Modernization Act (FISMA) and with the U.S Federal Information Processing Standard Publication 200 (FIPS 200). NIST is the abbreviated name for the National Institute of Standards and Technology. It’s one of many federal agencies under the U.S. Department of Commerce, and is one of the oldest physical science laboratories in the United States.

Requirements

20 guidelines, one of these is the Essential Eight which comprises of an additional 48-152 controls depending on the level of Maturity to aim to achieve.

114 controls set out in 3 main categories and 31 sub-categories.

11 Critical controls, 27 System controls and 18 Behavioural controls.

Under nine broad topics, Part B outlines 252 questions organisations can consider.

5 broad categories, 12 sections, 61 subsections, 296 criteria

123 controls including 30 controls in Part A which are mandatory Requirements and 93 optional/suggested controls.

46 controls stepped across 5 Tiers. Tier 1 is 6 controls while Tier 5 is all 46 controls. The 46 controls are set out in 5 Categories (Technology Management, Access Management, Backup and Recovery, Policies, Processes and Plans and Education and Training.)

8 strategies, 91 controls

25-30 key controls across 16 practice areas

Circa. 120 requirements.

Governed by

Cyber Security NSW, Department of Customer Service

Cyber Security NSW, Department of Customer Service

The Victorian Legal Services Board + Commissioner

Office of the Australian Information Commissioner

American Institute of Certified Public Accountants, Inc. (AICPA)

International Organization for Standardization (ISO)

Cyber Security Certification Australia and CyberCert

The Australian Cyber Security Centre (ACSC)

InfoSecAssure

National Institute of Standards and Technology (NIST)

Region focus

Australia

Australia

Australia

Australia

Global

Global

Australia

Global

Australia

US

How Assuredly can help

By conducting an Assuredly Cyber Security NSW Local Government Assessment local government agencies can instantly access maturity scores against every requirement set out by the guidelines and get automated suggested action plans and access to a broad range of tools and templates to uplift controls required to achieve the intent of the guidelines. Assuredly could be your ultimate partner in safeguarding your business against cyber threats! Our platform offers a seamless and guided assessment process tailored to your specific needs. By utilising our expert guidance, you gain access to valuable information that demystifies the Cyber Security NSW Local Government requirements. Easily understand control requirements, learn how to effectively test them, and be equipped with the exact evidence auditors look for. The results are displayed instantly on our intuitive dashboard, empowering you with real-time insights. Additionally, you can effortlessly generate comprehensive reports that align findings with risks and controls, ensuring you stay ahead in the ever-evolving world of cybersecurity. Join Assuredly now and embark on your journey to fortified digital security!

By conducting an Assuredly NSW Cyber Security Policy Assessment government agencies can instantly access maturity scores against every requirement set out by the policy and get automated suggested action plans and access to a broad range of tools and templates to uplift controls required to achieve the intent of the guidelines. Assuredly could be your ultimate partner in safeguarding your agency against cyber threats! Our platform offers a seamless and guided assessment process tailored to your specific needs. By utilising our expert guidance, you gain access to valuable information that demystifies the NSW Cyber Security Policy requirements. Easily understand control requirements, learn how to effectively test them, and be equipped with the exact evidence auditors look for. The results are displayed instantly on our intuitive dashboard and automated risk register, empowering you with real-time insights. Additionally, you can effortlessly generate comprehensive reports that align findings with risks and controls, supporting your mandatory requirements to Cyber Security NSW - ensuring you stay ahead in the ever-evolving world of cybersecurity. Join Assuredly now and embark on your journey to fortified digital security!

By conducting an Assuredly Victorian Legal Services Board and Commissioner Minimum Cybersecurity Expectations Assessment law firms can instantly access maturity scores against every requirement set out by this standard and get automated suggested action plans and access to a broad range of tools and templates to uplift controls. Assuredly is your ultimate partner in safeguarding your business against cyber threats while also meeting the requirements set out by the Victorian Legal Services Board and Commissioner. Our platform offers a seamless and guided assessment process tailored to your specific needs. By utilising our expert guidance, you gain access to valuable information that demystifies the Victorian Legal Services Board and Commissioner Minimum Cybersecurity Expectations . Easily understand control requirements, learn how to effectively test them, and be equipped with the exact evidence auditors look for. The results are displayed instantly on our intuitive dashboard, empowering you with real-time insights. Additionally, you can effortlessly generate comprehensive reports that align findings with risks and controls, ensuring you stay ahead in the ever-evolving world of cybersecurity. Join Assuredly now and embark on your journey to fortified digital security!

By conducting an Assuredly Privacy Reasonable Steps Assessment companies can instantly access maturity scores against every requirement set out by this standard and get automated suggested action plans and access to a broad range of tools and templates to uplift controls. Assuredly could be your ultimate partner in safeguarding your business against cyber threats! Our platform offers a seamless and guided assessment process tailored to your specific needs. By utilising our expert guidance, you gain access to valuable information that demystifies the Privacy Reasonable Steps Guide. Easily understand control requirements, learn how to effectively test them, and be equipped with the exact evidence auditors look for. The results are displayed instantly on our intuitive dashboard, empowering you with real-time insights. Additionally, you can effortlessly generate comprehensive reports that align findings with risks and controls, ensuring you stay ahead in the ever-evolving world of cybersecurity. Join Assuredly now and embark on your journey to fortified digital security!

By conducting an Assuredly SOC2 Assessment companies can instantly access maturity scores against every requirement set out by this standard and get automated suggested action plans and access to abroad range of tools and templates to uplift controls required to achieve their certification. Discover the exceptional world of Assuredly - your ultimate platform for achieving unparalleled business excellence! We offer an exclusive guided process designed to seamlessly assess your business against the coveted SOC2 requirements. Experience a personalised journey with expert assistance at every step, empowering you to access invaluable information on control requirements, testing procedures, and even the precise evidence auditors seek. With just a click, witness the magic unfold as outcomes are instantly showcased on a dynamic dashboard. But that's not all – brace yourself for the added advantage of creating meticulously detailed reports, effortlessly aligning findings to risks and controls. Elevate your security standards and join the Assuredly revolution today! Sign up now for a secure future! ‍

By conducting an Assuredly ISO 27001 Assessment companies can instantly access maturity scores against every requirement set out by this standard and get automated suggested action plans and access to abroad range of tools and templates to uplift controls required to achieve their certification. Discover the power of Assuredly, your ultimate ally in safeguarding your business! Unveil a seamless journey towards ISO 27001 compliance as our platform offers expert guidance throughout the assessment process. Unravel vital insights into control requirements, conduct efficient control testing, and grasp the exact evidence an auditor seeks. Behold the magic of instant dashboard feedback, unveiling your outstanding achievements. Additionally, create meticulously detailed reports that seamlessly align findings with risks and controls. Join Assuredly today and unlock the realm of security and success for your business!

Assuredly offers a seamless, guided process that will effortlessly walk you through assessing your business against the SMB 1001 Requirements. Whether you are small business looking to get your first security certificate and want to achieve Tier 1 or your are a professional advisor looking to support companies achieve Tier 5 Assuredly allows you to Instantly access Help Guides that assist you in implementing controls which you don’t yet have in place. Be told up front what auditors would require to verify the control is in place. Add evidence to your assessment which can be audited if required. Get instant and automated suggested action plans for weak controls. Automatic risk registers created with associated risk treatment plans. A clear view of how well your business has achieved against the SMB 1001 standard in easy-to-understand graphs. Certification process. Get your SMB 1001 Certification Today!

Discover the empowering world of Assuredly - your ultimate partner in ensuring your business's security! Our platform offers a seamless, guided process that will effortlessly walk you through assessing your business against the crucial Essential Eight requirements. Say goodbye to confusion, as our expert guidance provides you with invaluable insights into control requirements, testing procedures, and even auditor expectations for evidence. With lightning-fast outcomes displayed on our intuitive dashboard, you'll feel in control like never before. Take it a step further and create comprehensive, detailed reports that align findings back to risks and controls. Join Assuredly today and embark on a journey towards a secure and fortified future for your business! ‍

By conducting an Assuredly Health Check companies can instantly access maturity scores against every requirement set out by this standard and get automated suggested action plans and access to abroad range of tools and templates to uplift controls required to achieve a secure business and get their foundation security in place. Unlock the full potential of your business's security with Assuredly, your trusted partner in safeguarding success! Our platform offers a unique guided process to assess your business against fundamental security requirements, providing you with expert support every step of the way. Gain exclusive access to essential information, demystifying control requirements, testing procedures, and auditor expectations. Experience the thrill of instant dashboard feedback, revealing your triumphs in real-time. Moreover, craft detailed reports aligning findings with risks and controls, effortlessly shareable with stakeholders, freeing you from ever answering a security questionnaire again. Elevate your security game and sign up for Assuredly today, because a secure future awaits!

By conducting an Assuredly NIST CSF Assessment companies can instantly access maturity scores against every requirement set out by this standard and get automated suggested action plans and access to a broad range of tools and templates to uplift controls required to achieve their certification. Assuredly could be your ultimate partner in safeguarding your business against cyber threats! Our platform offers a seamless and guided assessment process tailored to your specific needs. By utilising our expert guidance, you gain access to valuable information that demystifies the NIST Cybersecurity Framework requirements. Easily understand control requirements, learn how to effectively test them, and be equipped with the exact evidence auditors look for. The results are displayed instantly on our intuitive dashboard, empowering you with real-time insights. Additionally, you can effortlessly generate comprehensive reports that align findings with risks and controls, ensuring you stay ahead in the ever-evolving world of cybersecurity. Join Assuredly now and embark on your journey to fortified digital security!