A performance audit of how Cyber Security NSW has increased the State Government’s cyber resilience has found that the Agency cannot effectively demonstrate its progress.
In her report Cyber Security NSW: governance, roles, and responsibilities, Auditor-General Margaret Crawford said Cyber Security NSW had a clear purpose that was in line with wider Government policy and objectives.
“The majority of Agencies and councils consulted during this audit reported that the services they received contributed to improving their individual cyber security,” Ms Crawford said.
“However, Cyber Security NSW does not clearly and consistently communicate its key objectives to ensure that its efforts are effectively and efficiently targeted, prioritised, planned, and reported,” she said.
“This is despite it receiving enhanced funding to expand the scope of services it provides.”
Ms Crawford said the Agency had many sets of objectives across a range of sources, including the Cyber Security Strategy, business plans, corporate material, and public communications.
She said it had too few reliable and meaningful ways of measuring progress toward these objectives, and no overall workplan or roadmap to show how they would be achieved.
“Without a clear and consistent program logic, it is difficult to determine whether the functions and services delivered by Cyber Security NSW are helping to achieve the level of cyber resilience required to meet the increasing cyber threats faced by the NSW public sector,” the Auditor-General said.
“Cyber Security NSW does not provide adequate assurance of the cyber security maturity self-assessments performed by NSW Government Agencies,” she said.
“Department heads are accountable for ensuring their Agency’s compliance with NSW Government Policy.”
Ms Crawford made four recommendations, to ensure NSW Agencies consistently and accurately assessed and reported their compliance with the Cyber Security Policy; ensure Cyber Security NSW had a strategic plan that clearly demonstrated its functions and services; provide a detailed, complete and accessible catalogue of Cyber Security services available to Agencies and councils; and develop a comprehensive engagement strategy and plan for the local government sector.
The Auditor-General’s 34-page Report can be accessed at this PS News link.