On this page
- 1.1: Leadership
- 1.2: Organisational Structure and Staff Responsibilities
- 1.3: Risk Management
- 1.4: Policies, Procedures and Compliance
- 1.5: Supplier Management and Acquisition of Technology
- 1.6: Audit and Assurance
Next
Principle:
The agency manages security risks and supports a positive security culture, ensuring clear lines of accountability, strategic planning, assurance and review, and proportionate reporting.
1.1: Leadership
Senior leadership is ultimately accountable for the implementation and effectiveness of the agency's cyber security program (CSP). Senior leadership must be actively engaged in cyber security initiatives and champion cultural change.
Senior leadership must demonstrate a commitment and understanding of the agency's CSP by providing an attestation of their current assessment against all mandatory requirements in the SACSF.
Tier One Requirements:
- Senior leadership provides an annual attestation of the agency’s current state of alignment to the SACSF, together with a plan to meet or maintain alignment to the agency’s required tier level. The attestation covers:
- Tasks completed during the reporting period.
- Tasks to be completed during the new reporting period.
- Who has responsibility for completing the associated tasks.
- Cyber security program funding model.
- Senior leadership allocates roles, responsibilities and resources to support and enable the agency's CSP.
- Cyber security is regularly included in the agenda of an appropriate senior leadership body, ensuring discussion is focused on the progress of the CSP, and cyber security risks to the agency, both existing and emerging.
Tier Two Requirements:
As above
Tier Three Requirements:
As above
Tier Four Requirements:
As above
1.2: Organisational Structure and Staff Responsibilities
A structure for managing cyber security must be embedded into the agency's governance framework.
Roles and responsibilities for cyber security must be formally assigned by senior leadership, demonstrating commitment to providing suitable resources to manage the agency’s CSP.
Personnel and contractors must be provided with information and training to support awareness of their collective responsibility to foster a positive security culture.
Tier One Requirements:
Management Structure
- The management structure for cyber security is embedded into the agency's governance framework.
- Oversight of the agency’s CSP is assigned to an Agency Security Committee with a direct report to senior leadership.
Cyber Security Responsibilities, Training and Awareness
- The agency has appointed a senior leader accountable for cyber security to provide strategic level guidance for the agency's CSP and ensure compliance with cyber security policy, standards, regulations and legislation.
- Responsibility for day-to-day cyber security operations is assigned and documented in policy and relevant position descriptions.
- Cyber security education and awareness training is provided to all personnel and contractors during induction and at least annually thereafter, ensuring they are aware of their responsibilities regarding the appropriate use of agency information assets.
Tier Two Requirements:
Management Structure
- A dedicated Agency Security Committee is in place to enable effective communication and oversight of the agency’s CSP.
- The Agency Security Committee is attended periodically by a member of the agency's senior leadership.
Cyber Security Responsibilities, Training and Awareness
- Additional security training is provided to agency personnel who are in positions of trust, have heightened security responsibilities, or have increased risk profiles.
- Personnel and contractors responsible for cyber security management and day-to-day operations must have qualifications and maintain ongoing professional education. Accredited training should be relevant to their role and have ongoing continuing professional education requirements or have been obtained within the prior five years.
- The agency evaluates the performance of all workers with reference to cyber security responsibilities and performance requirements.
Tier Three Requirements:
Cyber Security Responsibilities, Training and Awareness
- Skills gap assessments are performed for cyber security and IT personnel responsible for implementing or managing technical security controls. Targeted training is provided for these personnel specific to the technologies in use within the agency. Where contractors or third parties are used in place of internal resources, periodic vetting of competency is performed.
Tier Four Requirements:
Management Structure
- The agency operates an independently certified information security management system which covers the critical services of the agency and has implemented a formal business continuity management system.
- The agency has formally appointed and defined responsibilities for an executive or senior manager solely responsible for cyber security.
1.3: Risk Management
The agency must take steps to identify, understand, assess and manage cyber security risks to its critical processes and information assets.
Cyber security risk management processes must be embedded within the agency’s risk management framework and align to the risk appetite of the agency.
Senior leadership must be aware of current and emerging cyber security risks to the agency.
Tier One Requirements:
- Senior leadership has documented the agency's risk appetite.
- A risk management framework is in place and includes cyber security risk management processes.
- Cyber security risks are documented in an agency risk register; and are periodically reviewed by the Agency Security Committee. (Refer to SACSF Guideline 8.0 - Security Risk Management)
- Cyber security risks are assessed and documented by suitably skilled personnel for all projects where cyber security risk exists undertaken by the agency.
Tier Two Requirements:
- Cyber security risks are documented in a cyber security risk management tool maintained by security personnel and periodically reviewed by the Agency Security Committee.
Tier Three Requirements:
As above
Tier Four Requirements:
As above
1.4: Policies, Procedures and Compliance
Cyber security policies and procedures must be in place and approved by senior leadership, providing management direction and support for cyber security in accordance with business requirements and relevant laws, regulations and contractual requirements, and the SACSF.
The agency’s suite of cyber security policies, procedures, and working documents must be reviewed regularly and socialised throughout the agency.
Tier One Requirements:
- A suite of cyber security policies aligned to the requirements of the SACSF is in place and has been socialised throughout the agency.
- Significant changes to policies are communicated as they occur.
- Legal, statutory, regulatory or contractual requirements and the agency’s approach to meet these requirements, including how they are monitored and kept up to date, are documented.
- A policy governing the safe selection and use of generative Artificial Intelligence (AI) and Large Language Model (LLM) tools is documented throughout the evolution of AI. Refer to Guideline 13.1 Use of Large Language Model AI Tools and Utilities.
- Operating procedures supporting the agency's suite of cyber security policies are in place.
- Policies, procedures and working documents are version controlled.
- A cyber security calendar is maintained to schedule and track the status of the CSP.
Tier Two Requirements:
- Policies are reviewed every two years at a minimum.
Tier Three Requirements:
- Policies are reviewed annually at a minimum.
Tier Four Requirements:
As above
1.5: Supplier Management and Acquisition of Technology
Cyber security requirements must be included in all agreements with all suppliers handling government data throughout the procurement lifecycle. This applies to all systems, software, devices and services being introduced to the agency environment, including cloud services.
Additionally, prior to any procurement a risk assessment must be performed that evaluates the benefits of the proposed system, software, device, or service while carefully considering any associated risks. The assessment should also include any additional jurisdictional, governance, privacy and security risks associated with the use of such services. All assessments should be in alignment with the agency’s risk appetite and risk management framework.
Tier One Requirements:
Supplier Management
- A formal supplier register is maintained by the agency.
- Processes for assessing and documenting cyber security risks that suppliers may introduce are embedded within procurement and contract management functions. Due diligence activities must be performed commensurate with the inherent risks associated with the information asset. For further guidance, refer to SACSF Guideline 2.0 - Suppliers using the SACSF and SACSF Guideline 3.0 - Engaging suppliers.
- Cyber security obligations to address identified risks are documented within supplier agreements.
- Agencies obtain assurance from suppliers that they have implemented controls to meet their cyber security obligations upon contract award and periodically thereafter, including contract expiry or termination.
- Cyber security roles and responsibilities of suppliers are established, communicated, and documented in the supplier agreements.
System and Software Acquisition
- Security risks associated with system and software acquisition, or significant system enhancements are identified, documented, and managed as per the agency’s risk management framework before the system and/or software is implemented into production.
Cloud Computing
A risk assessment is performed before implementing any cloud service. For further guidance, refer to SACSF Guideline 18.0 - Cloud Security.
- Security risks associated with a cloud service are identified, documented, and managed as per the agency’s risk management framework before the cloud service is implemented.
Tier Two Requirements:
As above
Tier Three Requirements:
Supplier Management
Agencies obtain independent assurance from suppliers including cloud services that they have implemented controls to meet their cyber security obligations upon contract award and annually for:
- Critical services
- Services with high availability or integrity requirements
- Services storing sensitive information or higher, or
- Services with a moderate or higher risk profile.
Tier Four Requirements:
As above
1.6: Audit and Assurance
A program of cyber security assurance activities must be in place to evaluate the effectiveness of the agency’s CSP and ensure cyber security controls are implemented and operated in accordance with the agency’s policies and procedures, relevant laws, regulations and contractual requirements, and the SACSF.
Tier One Requirements:
- Self-assessment assurance reviews of the CSP are performed at least annually by the agency.
- Independent reviews are performed periodically in line with agency requirements.
- Policy exemptions are formally requested, documented, and monitored by the Agency Security Committee.
Tier Two Requirements:
- A formal internal audit program is in place to assess alignment to the requirements of the SACSF.
- Technical reviews of security of critical systems are planned and carried out using a risk-based approach.
Tier Three Requirements:
As above
Tier Four Requirements:
- Formal independent reviews of the CSP are undertaken at least annually.