A performance audit into nine Agencies’ compliance with the State’s cyber security policy has found that key elements to strengthen cyber security governance, controls and culture were not sufficiently robust and not consistently applied.
In her Report, Compliance with the NSW Cyber Security Policy, Auditor-General, Margaret Crawford said Cyber Security NSW’s NSW Cyber Security Policy (CSP) was not achieving its objectives of improving cyber governance, controls and culture.
Ms Crawford said this was because the CSP did not set a minimum level for the implementation of mandatory requirements, or for the implementation of the Australian Cyber Security Centre’s (ACSC) Essential Eight.
The ACSC’s Essential Eight are a set of mitigation strategies to protect against cyber threats.
“The CSP does not require Agencies to report their target levels, nor does it require risk acceptance decisions to be documented or formally endorsed,” Ms Crawford said.
“Each participating Agency had implemented one or more of the mandatory requirements in an ad hoc or inconsistent basis,” she said.
“None of the participating Agencies had implemented all of the Essential Eight controls.”
Ms Crawford said Agencies tended to over-assess their cyber security maturity and none of the nine Agencies were able to support all of their self-assessments with evidence.
The Auditor-General said all of the Agencies audited had separately requested that her Office not disclose the audits’ findings.
“We reluctantly agreed to anonymise our findings, even though they are more than 12 months old,” she said.
“We are of the view that transparency and accountability to the Parliament of New South Wales are part of the solution, not the problem.”
Ms Crawford said poor levels of Agency cyber security maturity was a significant concern and improvement would require leadership and resourcing.
She made six recommendations in total, four to Cyber Security NSW that it monitor and report Agency compliance with the CSP; require Agencies to report their target and achieved levels of maturity; challenge discrepancies between Agencies’ target maturity levels and their risk level; and more closely align the CSP with the most current version of the ACSC’s Essential Eight model.
“In this Report, we repeat recommendations made in the 2019 and 2020 Central Agencies reports, that Cyber Security NSW and NSW Government Agencies need to prioritise improvements to cyber security resilience as a matter of urgency,” she said.
Ms Crawford also recommended that the nine audited Agencies resolve discrepancies between their reported level of maturity and the level they were able to support with evidence.
The Auditor-General’s 67-page Report can be accessed at this PS News link.
