26 September 2023

Audit uncovers Sydney transport risks

Start the conversation

A performance audit into how effectively Transport for NSW and Sydney Trains identified and managed their cyber-security risks has found the Agencies were not effective and significant weaknesses existed in their cyber controls.

In her Report Managing cyber risks, Auditor-General, Margaret Crawford said both Agencies had assessed that their cyber risks were unacceptably high and neither Agency had reached its Essential Eight target levels, a series of mitigation strategies to help organisations make it harder for adversaries to compromise their systems, or Cyber Security Policy target levels.

“This low Essential Eight maturity exposes both Agencies to significant risk,” Ms Crawford said.

“Both Agencies are implementing cyber-security plans to address identified cyber-security risks,” she said.

“Not all of the weaknesses identified in this audit had previously been identified by the Agencies, indicating that their cyber-security risk identification is only partially effective.”

Ms Crawford said her audit also identified other weaknesses, such as low numbers of staff receiving basic cyber-security awareness training and that Agency executives had not received regular detailed information about cyber risks and how they were being managed.

The Auditor-General said that, as a result, neither Agency was fostering a culture where cyber-security risk management was an important and valued aspect of executive decision-making.

She said the Agencies, along with Cyber Security NSW, requested that her Office not disclose details of the significant vulnerabilities detected during the audit, as the vulnerabilities had not been remediated.

“We provided a detailed Report to the Agencies in December 2020 outlining significant issues identified in the Audit,” Ms Crawford said.

“We have conceded to the Agencies’ request but it is disappointing that transparency to the Parliament and the public on issues that potentially directly affect them needs to be limited in this way.”

She stressed that the risks identified in the detailed Report existed due to the continued presence of the previously identified vulnerabilities, rather than due to their potential publication.

Ms Crawford made 10 recommendations to the Agencies, including two priority recommendations that they should implement a plan to uplift the Essential Eight controls and address the vulnerabilities detected as part of the Audit, and previously described in the detailed Audit Office Report provided to both Agencies last year.

The Auditor-General’s 38-page Report can be accessed at this PS News link.

Start the conversation

Be among the first to get all the Public Sector and Defence news and views that matter.

Subscribe now and receive the latest news, delivered free to your inbox.

By submitting your email address you are agreeing to Region Group's terms and conditions and privacy policy.