iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
The Department of Home Affairs outlines the foundations of its whole-of-government zero-trust commitment, as originally planned in the 2023-2023 Cyber Security Strategy.
In a consultation paper released last month titled Guiding Principles to Embed a Zero Trust Culture, the department laid out guiding principles for the uplift of current policies to ensure all departments and stakeholders are on the same page.
“The success of these initiatives, such as developing a whole-of-government zero-trust culture, relies on an aligned, collaborative approach with all impacted stakeholders,” the paper said, stressing the importance of collaboration with industry.
Home Affairs laid out five guiding principles in the paper:
Identify and manage cyber security risk at an enterprise level: Cyber risk and threats must be considered an enterprise-level concern. This means including it within the agency’s “broader risk management framework” and taking it into account during critical operation decisions.
Understand accountabilities and responsibilities at all levels: Strong accountability mechanisms must be established, and clear roles and responsibilities must be defined for the establishment of zero-trust culture foundations.
Know and understand your most critical and sensitive technology assets: Understand what your most critical and sensitive assets are and bolster the cyber literacy and awareness of staff, ensuring they are cyber fluent and are able to “navigate and respond to cyber threats”.
Maintain resiliency through a comprehensive cyber strategy and uplift plans: Commonwealth agencies are obligated to “develop, maintain and foster a robust cyber strategy which is essential for enhancing cyber resilience”. Agencies should take into account both current and predicted future threat trends to ensure a strong security strategy.
Go beyond incident planning: Follow the core foundations of zero trust, which is to assume the worst. Cyber planning must assume a threat actor or a breach and always verify users at every point on the basis that “no system or user is inherently secure”.
Home Affairs said it will apply the five guiding principles through changes to the Protective Security Policy Framework 25 annual release, as well as the Hosting Certification Framework and the Resilient Digital Infrastructure framework.
“Together, these mechanisms act as powerful levers for change by setting consistent, high standards that encourage a culture of continuous verification, risk mitigation and further our journey on the cyber resilience continuum,” it said.
Home Affairs is accepting submissions for guidance regarding reforms of the three frameworks.
Be the first to hear the latest developments in the cyber industry.
