Case Study - Hornsby Shire Council

Policy Management as a Service Implementation

About Hornsby Shire Council

Hornsby Shire Council is located in Sydney's northern suburbs, approximately 25 kilometres from Sydney CBD, and is the first major employment hub for people commuting from the Central Coast. The Shire encompasses an area of about 455 square kilometres, with a significant portion dedicated to national parks and reserves, reflecting its moniker as the "Bushland Shire”.

As of 2023, Hornsby Shire has an estimated resident population of 154,072, with a population density of approximately 338.5 persons per square kilometer.

Background

The council has a diverse workforce employing over 500 full time employees in a range of occupations across four divisions - Corporate Support, Planning and Compliance, Community and Environment, Infrastructure and Major Projects.

Historically, the organisation operated on a legacy on-premises infrastructure, which presented challenges in scalability, accessibility, and maintenance. Recognising the need for a more agile and resilient IT framework, a full migration to a cloud-based infrastructure was undertaken in 2020/2021. The organisation now operates within a Microsoft Azure and 365 environment and have deployed over 400 mobile devices. In completing the migration, council has significantly improved operational flexibility, assisted employees to collaborate more effectively, provided access to systems remotely, and enhanced service delivery.

Challenges

Hornsby Shire Council knew they needed a robust policy framework to be the foundation for their cyber security maturity improvement efforts. They did not have any internal resources with the capability and capacity to write a suite of IT security policies that would ensure compliance with all relevant standards and guidelines. Whilst hiring someone to write policies on a bespoke basis was a consideration, it would create an ongoing challenge for council to keep the policies updated as standards, regulations and the organisation’s business requirements changed.

After researching potential solutions they discovered Kaon Security’s Policy Management as a Service, which provided a streamlined and sustainable way to develop, implement and manage a comprehensive suite of IT policies.

Solution

Policy Management as a Service (PMaaS) ensures the council have rigorous, up-to-date IT security policies aligned with industry best practices and compliance requirements. The policies are written in plain English and designed to meet key standards including ASD Essential 8, ISO 27002, various other ISO standards, and PCI DSS.

By leveraging PMaaS, the council gained access to expertly crafted policies that are kept up to date with regulatory changes, thereby reducing the burden on internal teams while maintaining compliance and strengthening cybersecurity maturity. The service is a structured and efficient approach to policy management, ensuring staff have clear guidance on security practices while IT and compliance teams can focus on core operational priorities.

Benefits

“Tailoring and customising the standards for our organisation, such as roles, terminology, etc, was a simple process and we received guidance from Kaon Security to assist along the way. Our detailed review of the policies revealed a number of areas of non-compliance, which are tracked as exceptions, that helped to inform a roadmap of our journey to improved cyber maturity.” comments Sharon Bowman, Manager - Technology and Transformation.

“We love that the system allows us to track adoption, by requiring staff to complete a quiz (ensuring they actually read the content) and acknowledge the policy. We also appreciate that the policies are continuously reviewed and updated, to reflect changes in the underlying standards (such as an Essential 8 update) and the general risk and control environment (such as AI), meaning we stay up to date with minimal effort.”

“Throughout our implementation and use of the solution, Kaon Security have been extremely responsive to our needs, including taking onboard our suggestions for enhancements to the functionality in the system.” says Sharon.

Leadership

The council is ensuring staff understand and follow IT security policies through a mix of face-to-face and interactive online training. Online modules run quarterly, incorporating gamification and incentives to boost engagement. Initial training rounds included manager-led follow-ups to reinforce key messages, fostering a strong security culture across the organisation.