Cyber Security Policy

Information Security is everyone’s responsibility.

On 1 February 2019, the NSW Cyber Security Policy replaced the NSW Government Digital Information Security Policy (DISP). It requires agencies to implement the Australian Cyber Security Centre (ACSC) ‘Essential Eight’ strategies.

The ‘Essential Eight’ are eight baseline security strategies, supported by a detailed set of guidelines and controls that can protect against risks that threaten the agency IT systems and information.

The Cyber Security Policy continues the practice of using an Information Security Management System (ISMS) or Cyber Security Management System (CSMS) that is compliant with a recognised standard. Agencies must still provide an Attestation Statement on cyber security in their annual reports.

The Health Care Complaints Commission’s ISMS takes into account a minimum set of controls, as well as requirements relating to certification and annual attestation, and classification of information.

The Health Care Complaints Commission’s classification requirements are in line with the NSW Government Classification and Labelling Guidelines and using the correct classification of information is important to help ensure the prevention of information breaches and to minimise the impact if an information breach occurs within the Commission.

The Health Care Complaints Commission uses the following classification:

Unclassified – is used when information or material where its loss, misuse, compromise or unauthorised disclosure would not adversely impact the Commission’s activities, reputation or the public interest in general.

Sensitive – this is the Commission’s default classification due to the sensitivity nature of information within the Commission.

Sensitive: Personal DLM – is used with security classified or unclassified information that contains attributes of personal information as defined in Privacy Personal Information Protection Act (PPIPA) 1998.

Sensitive : NSW Government DLM – is used when the compromise of the information could cause limited damage or damage to the NSW Government, commercial entities or members of the public.