Since the introduction of the government's cyber security policy, NSW government agencies have made “insufficient progress”, according to the ‘Compliance with the NSW Cyber Security Policy’ audit report that was released by the Audit Office of NSW this week.
The NSW Audit Office has been calling for the government to urgently prioritise improvements to cyber security and resilience for over three years and its audit findings show that “poor levels of cyber security maturity are a significant concern”, highlighting that a marked improvement will require a “dedicated leadership and resourcing”.
The audit found the policy had done little to achieve the “objective of improved cyber governance, controls and culture” since it was introduced to replace the digital information security policy.
A $240 million investment in cyber security was made by the government in last year’s budget to fund various cyber security programs but, the recent audit has uncovered sustained “non-compliance and significant weaknesses” with the policy, first introduced in 2019, during the 2019-20 reporting period.
The audit was focused on examining the departments of Premier and Cabinet, Communities and Justice, Customer Service, Education, Planning, Regional NSW, Health, Treasury and Transport with the agencies continuing to struggle to implement the 'Essential Eight' cyber security controls.
“There has been insufficient progress to improve cyber security safeguards across NSW government agencies,” according to the audit.
“Key elements to strengthen cyber security governance, controls and culture are not sufficiently robust and not consistently applied.”
The policy does not “set a minimum maturity threshold for agencies to meet”, which the audit highlights as a key element for review for the agencies to “decide not to implement requirements of the CSP, or they can decide the implement them only in an informal or ad-hoc manner”.
There is also no requirement set to “demonstrate reasons for not implementing requirements” or have heads formally acknowledge the residual risk, as is the case in other similar jurisdictions.
The audit noted that a previous iteration of the policy’s reporting template had “stated that level three maturity … was required for compliance with the CSP, but that this was removed in 2020”.
Without a minimum baseline agencies are “able to target lower levels”, and therefore choose not to practice a CSP policy requirement or to practice it on an ad-hoc basis according to the audit.
Under the CSP, agencies are required to self-assess their maturity against the Essential Eight cyber security controls.
Out of the nine lead agencies assessed, eight were found not to have implemented any of the Essential Eight controls to level three, which is considered the baseline by the Australia Cyber Security Centre.
All nine agencies also “failed to reach even level one maturity for at least three of the Essential Eight”, as at the end of June 2020, the report outlined.
The worst offenders have not been revealed by the auditor since it “reluctantly agreed to anonymise agencies and their specific failings” because the vulnerabilities have not yet been remedied”.
The audit found that seven of the nine agencies audited were reporting levels of maturity against the mandatory requirements in the CSP and Essential Eight that were “not supported by evidence”.
“Each of the nine participating agencies for this audit had overstated their level of maturity against at least one of the 20 mandatory requirements,” it said. “Seven agencies were not able to provide evidence to support their self-assessed ratings for the Essential Eight controls.”
The audit also observed that seven of the nine agencies had also “not modified the proforma wording in their attestation to reflect their actual situation”.
Cyber Security NSW has been instructed to improve its monitoring of compliance with the CSP following the audit with agencies being required to report target levels of maturity for each mandatory requirement in the future.
Following the results, the audit has pushed for agencies to “resolve discrepancies between their reported level of maturity and the level they are able to demonstrate with evidence”.