Compliance with the NSW Cyber Security Policy

Report highlights

What the report is about

This audit assessed nine agencies’ compliance with the NSW Cyber Security Policy (CSP) including whether, during the year to 30 June 2020, the participating agencies:

  • met their reporting obligations under the CSP
  • reported accurate self-assessments of their level of maturity implementing the CSP’s requirements including the Australian Cyber Security Centre’s (ACSC) Essential 8.

What we found

Key elements to strengthen cyber security governance, controls and culture are not sufficiently robust and not consistently applied. The CSP is not achieving the objectives of improved cyber governance, controls and culture because:

  • the CSP does not specify a minimum level for agencies to achieve in implementing the 'mandatory requirements' or the Essential 8
  • the CSP does not require agencies to report their target levels, nor does it require risk acceptance decisions to be documented or formally endorsed
  • each participating agency had implemented one or more of the mandatory requirements in an ad hoc or inconsistent basis
  • none of the participating agencies had implemented all of the Essential 8 controls
  • agencies tended to over-assess their cyber security maturity - all nine participating agencies were unable to support all of their self-assessments with evidence
  • there is no monitoring of the adequacy or accuracy of agencies' self-assessments.

What we recommended

In this report, we repeat recommendations made in the 2019 and 2020 Central Agencies reports, that Cyber Security NSW and NSW Government agencies need to prioritise improvements to cyber security resilience as a matter of urgency.

Cyber Security NSW should:

  • monitor and report compliance with the CSP
  • require agencies to report the target and achieved levels of maturity
  • require agencies to justify why it is appropriate to target a low level of maturity
  • require the agency head to formally accept the residual risk
  • challenge agencies' target maturity levels.

Agencies should resolve discrepancies between their reported level of maturity and the level they are able to support with evidence.

Separately, the agencies we audited requested that we not disclose our audit findings. We reluctantly agreed to anonymise our findings, even though they are more than 12 months old. We are of the view that transparency and accountability to the Parliament of New South Wales are part of the solution, not the problem.

The poor levels of agency cyber security maturity are a significant concern. Improvement requires leadership and resourcing.

Fast facts

The NSW Cyber Security Policy requires agencies to report their level of maturity implementing the mandatory requirements, which includes the ACSC's Essential 8.

  • 100% of audited agencies failed to reach level one maturity for at least three of the Essential 8 controls.

  • 53% of mandatory requirements implemented in an ad hoc or inconsistent manner, or not at all.

  • 89 of the 104 reporting agencies across government met the reporting deadline of 31 August.

Auditor-General's foreword

This report assesses whether state government agencies are complying with the NSW Cyber Security Policy. The audit was based on the level of compliance reported at 30 June 2020.

Our audit identified non-compliance and significant weaknesses against the government’s policy.

Audited agencies have requested that we not report the findings of this audit to the Parliament of New South Wales, even though the findings are more than 12 months old, believing that the audit report would expose their weaknesses to threat actors.

I have reluctantly agreed to modify my report to anonymise agencies and their specific failings because the vulnerabilities identified have not yet been remedied. Time, leadership and prioritised action should have been sufficient for agencies to improve their cyber safeguards. I am of the view that transparency and accountability to the Parliament is part of the solution, not the problem.

The poor levels of cyber security maturity are a significant concern. Improvement requires dedicated leadership and resourcing. To comply with some elements of the government’s policy agencies will have to invest in technical uplift and some measures may take time to implement. However, other elements of the policy do not require any investment in technology. They simply require leadership and management commitment to improve cyber literacy and culture. And they require accountability and transparency. Transparent reporting of performance is a key means to improve performance.

Executive summary

Cyber security is increasingly a focus of governments around Australia. The Australian Cyber Security Centre (ACSC) is the Australian Government’s lead agency for cyber security and is part of the Australian Signals Directorate, a statutory authority within the Australian Government’s Defence portfolio. The ACSC has advised that government agencies at all levels, as well as individuals and other organisations were increasingly targeted over the 2021 financial year1. The ACSC received over 67,500 cybercrime reports, a 13 per cent increase on the previous year. This equates to one reported cyber attack every eight minutes. They also noted that attacks by cyber criminals and state actors are becoming increasingly sophisticated and complex and that the attacks are increasingly likely to be categorised as ‘substantial’ in impact.

High profile attacks in Australia and overseas have included a sustained malware campaign targeted at the health sector2, a phishing campaign deploying emotet malware, spear phishing campaigns targeting people with administrator or other high-level access, and denial of service attacks. The continuing trend towards digital delivery of government services has increased the vulnerability of organisations to cyber threats.

The COVID-19 pandemic has increased these risks. It has increased Australian dependence on the internet – to work remotely, to access services and information, and to communicate and continue our daily lives. Traditional security policies within an organisation’s perimeter are harder to enforce in networks made up of home and other private networks, and assets the organisation does not manage. This has increased the cyber risks for NSW Government agencies.

In March 2020, Service NSW suffered two cyber security incidents in short succession. Technical analysis undertaken by the Department of Customer Service (DCS) concluded that these cyber breaches resulted from a phishing exercise through which external threat actors gained access to the email accounts of 47 staff members. These attacks resulted in the breach of a large amount of personal customer information contained in these email accounts. These attacks were the subject of the Auditor-General's report on Service NSW's handling of personal information tabled on 18 December 2020.

This audit also follows two significant performance audits. Managing cyber risks, tabled on 13 July 2021 found Transport for NSW and Sydney Trains were not effectively managing their cyber security risks. Integrity of data in the Births, Deaths and Marriages Register, tabled 7 April 2020 found that although there are controls in place to prevent and detect unauthorised access to, and activity in the register, there were significant gaps in these controls.

The NSW Cyber Security Policy (CSP) was issued by Cyber Security NSW, a business unit within the Department of Customer Service, and took effect from 1 February 2019. It applies to all NSW Government departments and public service agencies, including statutory authorities. Of the 104 agencies in the NSW public sector that self-assessed their maturity implementing the mandatory requirements, only five assessed their maturity at level three or above (on the five point maturity scale). This means that, according to their own self-assessments, 99 agencies practiced requirements within the framework in what the CSP’s maturity model describes as an ad hoc manner, or they did not practice the requirement at all. Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cybersecurity and resilience as a matter of priority.

This audit looks specifically at the compliance of nine key agencies with the CSP. It looks at their achievement implementing the requirements of the policy, the accuracy of their self-assessments and the attestations they made as to their compliance with the CSP.

The CSP outlines the mandatory requirements to which all NSW Government departments and public service agencies must adhere. It seeks to ensure cyber security risks to agencies’ information and systems are appropriately managed. The key areas of responsibility for agencies are:

  • Lead - Agencies must implement cyber security planning and governance and report against the requirements outlined in the CSP and other cyber security measures.
  • Prepare - Agencies must build and support a cyber security culture across their agency and NSW Government more broadly.
  • Prevent - Agencies must manage cyber security risks to safeguard and secure their information and systems.
  • Detect/Respond/Recover - Agencies must improve their resilience including their ability to rapidly detect cyber incidents and respond appropriately.
  • Report - Agencies must report against the requirements outlined in the CSP and other cyber security measures.

DCS has only recommended, but not mandated the CSP for state owned corporations, local councils and universities.

NSW Government agencies must include an attestation on cyber security in their annual report and provide a copy to Cyber Security NSW by 31 August each year stating whether, for the preceding financial year, the agency has:

  • assessed its cyber security risks
  • appropriately addressed cyber security at agency governance forums
  • a cyber incident response plan that is integrated with the security components of business continuity arrangements, and the response plan has been tested during the previous 12 months (involving senior business executives)
  • certified the agency’s Information Security Management System (ISMS) or confirmed the agency’s Cyber Security Framework (CSF)
  • a plan to continuously improve the management of cyber security governance and resilience.

The purpose of the attestation is to focus the agency's attention on its cyber risks and the mitigation of those risks.

Agencies assess their level of compliance in accordance with a maturity model. The CSP does not mandate a minimum maturity threshold for any requirement, including implementation of the Australian Cyber Security Centre's (ACSC) Essential 8 Strategies to Mitigate Cyber Security Incidents (Essential 8).

Agencies are required to set a target maturity level based on their risk appetite for each requirement, seek continual improvement in their maturity, and annually assess their maturity on an ascending scale of one to five for all requirements (refer to Appendix two for the maturity model). Each control within the Essential 8 is assessed on an ascending scale of zero to three reflecting the agency's level of alignment with the strategy (refer to Appendix three for the maturity model).

Scope of this audit

We assessed whether agencies had provided accurate reporting on their level of maturity implementing the requirements of the CSP in a documented way and covering all their systems.

The scope of this audit covered nine agencies (the participating agencies). These agencies were selected because they are the lead agency in their cluster, or have a significant digital presence within their respective cluster. The list of participating agencies is in section 1.2. The audit aimed to determine whether, during the year to 30th June 2020, the participating agencies:

  • met their reporting obligations under the CSP
  • provided accurate reporting in self-assessments against the CSP’s mandatory requirements, including their implementation of the Australian Cyber Security Centre’s (ACSC) Essential 8
  • achieved implementation of mandatory requirements at maturity levels which meet or exceed the ‘level three - defined’ threshold (i.e. are documented and practiced on a regular and consistent basis).

While the audit does assess the accuracy of agency self-assessed ratings, the audit did not assess the appropriateness of the maturity ratings.

Conclusion

Key elements to strengthen cyber security governance, controls and culture are not sufficiently robust and not consistently applied. There has been insufficient progress to improve cyber security safeguards across NSW Government agencies.
The NSW CSP replaced the NSW Digital Information Security Policy from 1 February 2019. New requirements of the CSP were, inter alia, to strengthen cyber security governance, strengthen cyber security controls and improve cyber security culture.
The CSP is not achieving the objective of improved cyber governance, controls and culture because:
  • The CSP does not specify a minimum level for agencies to achieve in implementing the 'mandatory requirements' or the Essential 8 Strategies to Mitigate Cyber Security Incidents.
  • The CSP does not require agencies to report their target levels, nor does it require risk acceptance decisions to be documented or formally endorsed.
  • All of the participating agencies had implemented one or more of the mandatory requirements in an ad hoc or inconsistent basis.
  • None of the participating agencies had implemented all of the Essential 8 controls to at least level one.
  • Agencies tended to over-assess their cyber security maturity, with all nine participating agencies unable to support some of their self-assessments of compliance with one or more mandatory criteria. Optimistic assessment of the current state of cyber resilience undermines effective decision making and risk management in responding to cyber risks.
  • There is no systematised and formal monitoring, by either Cyber Security NSW or another agency, of the adequacy or accuracy of agencies' cyber self-assessment processes.

 

1. Key findings

The CSP allows agencies to determine their own level of maturity to implement the 'mandatory requirements', which can include not practicing a policy requirement or implementing a policy requirement on an ad hoc basis. These determinations do not need to be justified

Agencies can decide not to implement requirements of the CSP, or they can decide to implement them only in an informal or ad-hoc manner. The CSP allows agencies to determine their desired level of maturity in implementing the requirements on a scale of one to five - level one being 'initial – not practiced' and level five being 'optimised'. The desired level of maturity is determined by the agency based on their own assessment of the risk of the services they provide and the information they hold.

The reporting template for the 2019 version of the CSP stated that level three maturity - where a policy requirement is practiced on a regular and consistent basis and its processes are documented - was required for compliance with the CSP. This requirement was removed in the 2020 revision of the reporting template.

This CSP does not require the decisions on risk tolerance, or the timeframes agencies have set to implement requirements to be documented or formally endorsed by the agency head. There is no requirement to report these decisions to Cyber Security NSW.

Some comparable jurisdictions require formal risk acceptance decisions where requirements are not implemented. The NSW CSP does not have a similar formal requirement

Some jurisdictions, with a similar policy framework to NSW, require agencies to demonstrate reasons for not implementing requirements, and require agency heads to formally acknowledge the residual risk. The NSW CSP does not require these considerations to be documented, nor does it require an explicit acknowledgement and acceptance of the residual risk by the agency head or Cyber Security NSW. The NSW CSP does not require that the records of how agencies considered and decided which measures to adopt to be documented and auditable, limiting transparency and accountability of decisions made.

All of the participating agencies had implemented one or more of the mandatory requirements in an ad hoc or inconsistent basis

All of the participating agencies had implemented one or more of the mandatory requirements at level one or two. Maturity below level three typically means not all elements of the requirement have been implemented, or the requirements have been implemented on an ad-hoc or inconsistent basis.

None of the participating agencies has implemented all of the Essential 8 controls at level one – that is, only partly aligned with the intent of the mitigation strategy

Eight of the nine agencies we audited had not implemented any of the Essential 8 strategies to level three – that is, fully aligned with the intent of the mitigation strategy. At the time of this audit the ACSC advised that:

as a baseline organisations should aim to reach to reach Maturity Level Three for each mitigation strategy3.

The Australian Signals Directorate4 currently advises that, with respect to the Essential 8:

[even] level three maturity will not stop adversaries willing and able to invest enough time, money and effort to compromise a target. As such, organisations still need to consider the remainder of the mitigation strategies from the Strategies to Mitigate Cyber Security Incidents and the Australian Government Information Security Manual

All agencies failed to reach even level one maturity for at least three of the Essential 8.

Cyber Security NSW modified the ACSC model for implementation of the Essential 8

The NSW maturity model used for the Essential 8 does not fully align with the ACSC’s model. At the time of this audit the major difference was the inclusion of level zero in the NSW CSP maturity scale. Level zero broadly means that the relevant cyber mitigation strategy is not implemented or is not applied consistently. Level zero had been removed by the ACSC in February 2019 and was not part of the framework at the time of this audit. It was re-introduced in July 2021 when the ACSC revised the detailed criteria for each element of the essential 8 maturity model. The indicators to reach level one on the new ACSC model are more detailed, specific and rigorous than those currently prescribed for NSW Government agencies. Cyber Security NSW asserted the level zero on the CSP maturity scale:

is not identical to the level zero of the ACSC’s previous Essential 8 maturity model, but is a NSW-specific inclusion designed to prevent agencies incorrectly assessing as level one when they have not achieved that level.

Attestations did not accurately reflect whether agencies implemented the requirements

Of the nine participating agencies, seven did not modify the proforma wording in their attestation to reflect their actual situation. Despite known gaps in their implementation of mandatory requirements, these agencies stated that they had 'managed cyber security risks in a manner consistent with the Mandatory Requirements set out in the NSW Government Cyber Security Policy'. Only two agencies modified the wording of the attestation to reflect their actual situation.

Attestations should be accurate so that agencies’ and the government’s response to the risk of cyber attack is properly informed by an understanding of the gaps in agency implementation of the policy requirements and the Essential 8. Without accurate information about these gaps, subsequent decisions as to prioritisation of effort and deployment of resources are unlikely to effectively mitigate the risks faced by NSW Government agencies.

Participating agencies were not able to support all of their self-assessments with evidence and had overstated their maturity assessments, limiting the effectiveness of agency risk management approaches

Seven of the nine participating agencies reported levels of maturity against both the mandatory requirements and the Essential 8 that were not supported by evidence.

Each of the nine participating agencies for this audit had overstated their level of maturity against at least one of the 20 mandatory requirements. Seven agencies were not able to provide evidence to support their self-assessed ratings for the Essential 8 controls.

Where agency staff over-assess the current state of their cyber resilience, it can undermine the effectiveness of subsequent decision making by Agency Heads and those charged with governance. It means that actions taken in mitigating cyber risks are less likely to be appropriate and that gaps in implementing cyber security measures will remain, exposing them to cyber attack.

Agencies' self-assessments across government exposed poor levels of maturity in implementing the mandatory requirements and the Essential 8 controls

We reviewed the data 104 NSW agencies provided to Cyber Security NSW. The 104 agencies includes nine audited agencies referred to in more detail in this report. Our review of the 104 agency self-assessment returns submitted to Cyber Security NSW highlighted that, consistent with previous years, there remains reported poor levels of cyber security maturity. We reported the previous years’ self-assessments in the Central Agencies 2019 Report to Parliament and the Central Agencies 2020 Report to Parliament.

Only five out of the 104 agencies self-assessed that they had implemented all of the mandatory requirements at level three or above (against the five point scale). Fourteen agencies self-assessed that they had implemented each of the Essential 8 controls at level one maturity or higher (using Cyber NSW’s four point scale). The remainder reported at level zero for implementation of one or more of the Essential 8 controls, meaning that for the majority of agencies the cyber mitigation strategy has not been implemented, or is applied inconsistently.

Where agencies had reported in both 2019 and 2020, agencies’ self-assessments showed little improvement over the previous year’s self-assessments:

  • 14 agencies reported improvement across both the Essential 8 and the mandatory requirements
  • 8 agencies reported a net decline in both the Essential 8 and the mandatory requirements.

The poor levels of maturity in implementing the Essential 8 over the last couple of years is an area of significant concern that requires better leadership and resourcing to prioritise the required significant improvement in agency cyber security measures.

2. Recommendations

Cyber Security NSW should:

1. monitor and report compliance with the CSP by:

  • obtaining objective assurance over the accuracy of self-assessments
  • requiring agencies to resolve inaccurate or anomalous self-assessments where these are apparent

2. require agencies to report:

  • the target level of maturity for each mandatory requirement they have determined appropriate for their agency
  • the agency head's acceptance of the residual risk where the target levels are low

3. identify and challenge discrepancies between agencies' target maturity levels and the risks of the information they hold and services they provide

4. more closely align their policy with the most current version of the ACSC model.

Participating agencies should:

5. resolve the discrepancies between their reported level of maturity and the level they are able to demonstrate with evidence, and:

  • compile and retain in accessible form the artefacts that demonstrate the basis of their self-assessments
  • refer to the CSP guidance when determining their current level of maturity
  • ensure the attestations they make refer to departures from the CSP
  • have processes whereby the agency head and those charged with governance formally accept the residual cyber risks.

Repeat recommendation from the 2019 Central Agencies report and the 2020 Central Agencies report

6. Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cyber security and resilience as a matter of urgency.


1. Introduction

1.1 Background to the Policy

The NSW Cyber Security Policy (CSP) took effect from 1 February 2019, replacing the NSW Digital Information Security Policy following the Audit Office’s 2018 performance audit Detecting and responding to cyber security incidents.

The CSP is owned by Cyber Security NSW, which is a function within the Department of Customer Service. It is subject to annual review including agency feedback. The current version of the CSP was issued in April 2020.

Cyber Security NSW is responsible for providing policy and guidance on cyber security, coordination and communication on whole-of-government security threats and incidents, liaison with security functions in other branches of government and conducting whole-of-government cyber security exercises. Cyber Security NSW was established in May 2019 taking over the responsibilities of the former government Chief Information Security Officer. Its responsibilities are to enhance whole-of-government cyber security capabilities and standards, improve cyber incident response coordination and the development of cyber policies.

The CSP requires that agencies submit a report covering the following:

  • Assessment against their implementation of 20 mandatory requirements, which address cyber security governance, culture and awareness, security over third party IT providers, and information sharing across government.
  • Assessment of implementation of the Essential 8 controls. The Essential 8 are the highest priority mitigation strategies identified by the Australian Cyber Security Centre as the most effective measures to defend against cyber attacks.
  • Their cyber security risks with high or extreme residual ratings.
  • A list of their most valuable systems and information known as their ‘crown jewels’.

Agencies are required to include an attestation on cyber security in their annual report and provide a copy to Cyber Security NSW by 31 August each year.

1.2 About this audit

We designed our audit procedures to conclude whether agencies were complying with the CSP during the year to 30th June 2020, including the reporting in August 2020.

The audit evaluated implementation of the CSP at nine participating agencies. The names of the agencies have been anonymised in respect of detailed information contained in this report, but were:

  • the Department of Premier and Cabinet
  • the Department of Communities and Justice
  • the Department of Customer Service
  • the Department of Education
  • the Department of Planning, Industry and Environment
  • the Department of Regional NSW
  • the Ministry of Health
  • the Treasury
  • Transport for NSW (specifically the former functions of Roads and Maritime Services).

It addressed whether participating agencies:

  • met their reporting obligations under the CSP
  • provided accurate reporting in self-assessments against the CSP’s mandatory requirements, including their implementation of the Australian Cyber Security Centre’s (ACSC) Essential 8 strategies to mitigate cyber security incidents
  • achieved implementation of mandatory requirements at maturity levels which meet or exceed the ‘level three - Defined’ threshold (i.e. are documented and practiced on a regular and consistent basis).

1.3 The maturity model

Implementation of the requirements is measured on a maturity scale

Agencies must assess the level to which they have implemented risk mitigation requirements each year. There are 25 elements to the CSP, five of which relate to reporting. The CSP requires agencies to assess their maturity in implementing the 20 elements with active requirements using a five point maturity model (refer to Appendix two for details of the CSP mandatory requirements maturity model).

Element 3.2 of the CSP relates to implementation of the Essential 8. The CSP requires agencies to assess their maturity against the Essential 8 using a four point maturity model (refer to Appendix three for details of the Essential 8 maturity model).

The CSP requires agencies to determine their level of maturity implementing the requirements using the scale outlined below.

Maturity Model for the mandatory requirements of the CSP

Maturity Model for the mandatory requirements of the CSP*

All requirements are defined on a scale of one to five categorised as:

1. Initial - the policy requirement is not practiced

2. Managed (Developing) - the requirement of the policy may only be performed on an ad-hoc basis and/or is not completely covering the scope of the requirement

3. Defined - the requirement is practiced on a consistent and regular basis and the relevant processes are documented

4. Quantitatively Managed - the requirement is reviewed/audited/governed on a regular basis to ensure that it is being performed as per the documented process/requirement and address any potential blockers

5. Optimised - the requirement is delivered with improved effectiveness such as through increased coverage/stakeholder involvement, automation of processes, continuous improvement, compliance requirements, etc.

Note: Some requirements will have slight variation in the maturity levels to these principles and so it is important to reference the maturity model for specific details of each mandatory requirement.

Source: Cyber Security Policy Maturity Model Guidance, updated April 2020.

Maturity Model for the Essential 8

The CSP requires agencies to report maturity against the Essential 8 using a four point scale based on the ACSC maturity model. The ACSC maturity model for the Essential 8 has changed a number of times since the inception of the CSP, including a revision in July 2021. The ACSC’s broad definition of the maturity levels that were in force at the time of this audit5 were:

  • Level One: Partly aligned with the intent of the mitigation strategy
  • Level Two: Mostly aligned with the intent of the mitigation strategy
  • Level Three: Fully aligned with the intent of the mitigation strategy.

Cyber NSW adopted this model, but added a level zero for those agencies that were unable to attest to even level one on the ACSC maturity model. This meant NSW agencies used a four point maturity model whereas Commonwealth agencies were using a three point maturity model for the Essential 8. The specific maturity levels for each of the Essential 8 used by Cyber Security NSW and applicable in NSW at the time of the audit for reporting are detailed at Appendix three.

Agencies must make a self-assessment of their own cyber maturity

By 31 August each year, agencies must submit a report covering their self-assessment of the following:

  • their maturity against all mandatory requirements in the CSP for the previous financial year
  • their level of implementation of the Australian Cyber Security Centre (ACSC) Essential 8
  • cyber security risks with a residual rating of high or extreme
  • a list of the agency’s ‘crown jewels’.

Cyber Security NSW provides a template for this reporting, which agencies must use.


 
 

2. Implementation of the CSP

The objective of the CSP is to ensure cyber security risks are appropriately managed. However, meeting this objective depends on the requirements being implemented at all agencies to a level of maturity that addresses their specific cyber security risks. Agency systems and data are increasingly interconnected. If an agency does not implement the requirements, or implements them only in an ad-hoc or informal way, an agency is more susceptible to their systems and data being compromised, which may affect the confidentiality of citizens' data and the reliability of services, including critical infrastructure services.

Agencies determine their own target level of maturity, which may mean the requirement is not addressed, or is addressed in an ad hoc or inconsistent way

While the CSP is mandatory for all agencies, it does not set a minimum maturity threshold for agencies to meet.

The reporting template issued in 2019 stated that agencies were required to reach level three maturity in order to comply with the CSP. The 2020 revision6 of the CSP and guidance indicates that level three maturity may not be sufficient to mitigate risks. It advises the agency may determine the level to which it believes it is suitable to implement the requirements, and allows for an agency to aim for a target level of maturity less than level three. The agency can set its optimal maturity level with reference to its risk tolerance with the objective that that aim ‘to be as high as possible’. However, ‘as high as possible’ does not necessarily mean ‘fully implemented’. The CSP contemplates that a lower level of maturity is sufficient if it aligns with the agency's risk tolerance.

2019 reporting template 2020 reporting template
‘A Mandatory Requirement is considered met if a maturity level of three is achieved. The Agency may choose to pursue a higher maturity level if required.

There is no mandated level for the Essential 8 Maturity reporting’.

‘There is no mandated maturity level for either the Mandatory Requirement reporting or Essential 8 reporting. Agencies need to risk-assess their optimal maturity and aim to be 'as high as possible’.
Source: Maturity Reporting Template v4.0, February 2019.
Source: CSP Reporting Template 2020, May 2020.

The Department of Customer Service asserts that while the quotes above were part of their annual templates and policy documents, their documents were incorrect. They assert that the policy has never required a minimum level of maturity to be reached. They have responded to our enquiries that:

…a level three maturity was not a requirement of the Policy or Maturity Model’ and ‘it is misleading to suggest it was a requirement of the Policy.

This audit found that, based on the 2020 reporting template there is no established minimum baseline. Consequently, because the Department of Customer Service had not established a minimum baseline agencies are able to target lower levels (providing they were within the agency’s own risk appetite), which includes targeting to not practice a CSP policy requirement, or to practice a CSP policy requirement on an ad hoc basis.

Where requirements are not implemented, documentation of formal acceptance of the residual risks by the agency head is not required

The New Zealand Government has an approach that is not dissimilar to NSW, in that it also identifies 20 mandatory requirements and allows for a risk based approach to implementation. However, the New Zealand approach puts more rigor around risk acceptance decisions.

The New Zealand Government requires that agencies that do not implement the requirements must demonstrate that a measure is not relevant for them. It requires agencies to document the rationale for not implementing the measure, including explicit acknowledgement of the residual risk by the agency head. They require these records to be auditable.

A security measure with a ‘must’ or ‘must not’ compliance requirement is mandatory. You must implement or follow mandatory security measures unless you can demonstrate that a measure is not relevant in your context.

Not using a security measure without due consideration may increase residual risk for your organisation. This residual risk needs to be agreed and acknowledged by your organisation head.

A formal auditable record of how you considered and decided which measures to adopt is required as part of the governance and assurance processes within your organisation.

Source: Overview of Protective Security Requirements, New Zealand Government (PSR-Overview-booklet.pdf (protectivesecurity.govt.nz).

The NSW CSP does not require these considerations to be documented or auditable and does not require an explicit acknowledgement or acceptance of the residual risk by the agency head.

None of the participating agencies achieved level three implementation for all mandatory risk prevention and mitigation requirements

Maturity level three is the minimum level whereby an agency has implemented documented processes that are practiced on a regular basis across their environment. An agency has not reached level three if the requirement is implemented on an ad-hoc or inconsistent basis, or if not all elements of the requirement have been implemented.

None of the participating agencies achieved level three implementation for all mandatory requirements.

The requirements of the CSP are organised into five sections. Agency implementation of these requirements is discussed in the next five sections of this report.

  • Lead: Planning and governance requirements. Section 2.1
  • Prepare: Cyber security culture requirements. Section 2.2
  • Prevent: Managing cyber incident prevention requirements. Section 2.3
  • Detect/Respond/Recover: Resilience requirements. Section 2.4
  • Report: Reporting requirements. Section 2.5.

 


6The reporting template issued in 2019 required agencies to reach level three, but that guidance was removed in the 2020 revision.

2.1 Planning and governance requirements

The first of the set of five mandatory requirements in the NSW CSP address leadership in the planning and governance for managing cyber risks. These requirements are:

  • 1.1 Allocate roles and responsibilities.
  • 1.2 A governance committee at the executive level to be accountable for cyber security including risks, plans and meeting the requirements of this policy.
  • 1.3 An approved cyber security plan to manage the agency’s cyber security risks, integrated with business continuity arrangements.
  • 1.4 Cyber security threats are considered when performing risk assessments, which includes high and critical risks in the agency’s overall risk management framework.
  • 1.5 The agency is accountable for the cyber risks of their ICT service providers and ensuring their providers comply with the applicable parts of this policy and any other relevant agency security policies.

Our assessment of the level of maturity at each participating agency in implementing the five planning and governance requirements is summarised in the table below:

Table key: ○ Level one maturity, ◔ Level two maturity, ◐ Level three maturity, ◕ Level four maturity, ● Level five maturity, Ratings with asterisk indicate that the agency reported a higher rating than we found to be supported by evidence. How agencies score against requirements 1.1,1.2,1.3,1.4,1.5:Agency A ◔ ○ ○ ◕ ◔ Agency B ◐ ◕ ○ ◔ ◔ Agency C ◐ ◐ ○ ◐ ◐ Agency D ◐ ◐ ◔ ◔ ◔ Agency E  ◐ ◐ ◐ ◔ ◔ Agency F ● ● ● ● ◕ Agency G  ◔ ◕ ◐ ◔ ◔ Agency H  ● ● ● ◔ ◕ Agency I  ◐ ◐ ◔ ◔ ◔
Audit assessment of agency maturity against resilience requirements
Source: Audit Office analysis.

Some agency self-assessments were not accurate

Agency B over assessed their maturity at level two and Agency C over assessed at level three for requirement 1.3 (having an approved cyber security plan to manage the agency’s cyber security risks). Neither agency had an approved cyber security plan at the time. Under the Maturity Model (see Appendix two) we assessed both of these agencies at level 1, which is defined as ‘there is no approved cyber security plan’.

Eight of the nine participating agencies had not implemented all the planning and governance mandatory requirements at maturity level three or higher

These requirements are intended to ensure that responsibilities are defined for managing cyber risks, including those managed by third parties, and that cyber security risks are considered and planned for through integration with other strategic plans.

The level of maturity obtained by agencies indicates gaps exist in meeting these objectives, with the majority of audited agencies not reaching a ‘defined’ level of implementation of the requirements to:

  • have an approved cyber security plan to manage the agency’s cyber security risks, integrated with business continuity arrangements. This must include consideration of threats, risks and vulnerabilities that impact the protection of the agency’s information and ICT assets and services
  • consider cyber security threats when performing risk assessments and include high and critical risks in the agency’s overall risk management framework
  • be accountable for the cyber risks of their ICT service providers and ensure the providers comply with the applicable parts of this policy and any other relevant agency security policies.

Planning and governance are foundational steps in establishing a cyber resilient organisation. Failure to more fully implement these requirements can increase the risk that cyber security is not adequately considered in strategic planning and the management of third parties.

2.2 Cyber security culture requirements

The second of the set of five mandatory requirements address how agencies prepare themselves to build and support a cyber security aware culture. Requirements in this section address cyber security culture at agencies and across government. These requirements are:

  • 2.1 Implement regular cyber security education for all employees and contractors, and ensure that outsourced ICT service providers implement similar cyber security requirements.
  • 2.2 Increase awareness of cyber security risk across all staff including the need to report cyber security risks.
  • 2.3 Foster a culture where cyber security risk management is an important and valued aspect of decision-making and where cyber security risk management processes are understood and applied.
  • 2.4 Ensure that people who have access to sensitive or classified information or systems and those with privileged system access have appropriate security screening, and that access is removed when no longer appropriate.
  • 2.5 Agencies share information on security threats and intelligence with Cyber Security NSW and cooperate across NSW Government to enable management of government-wide cyber risk.

Our assessment of the level of maturity at each participating agency in implementing the five cyber security culture requirements is summarised in the table below:

Table key: ○ Level one maturity, ◔ Level two maturity, ◐ Level three maturity, ◕ Level four maturity, ● Level five maturity, Ratings with asterisk indicate that the agency reported a higher rating than we found to be supported by evidence. How agencies score against requirements 2.1,2.2,2.3,2.4,2.5: Agency A ◔* ◔ ◔ ◔ ◐, Agency B ◔* ◐ ◔ ◐ ◕, Agency C ◔* ◐ ◐ ◔ ◐, Agency D ◔ ◐ ◔* ◔ ◐, Agency E ◐ ◐ ◐ ◔ ◐, Agency F ◐ ◕ ● ◔* ◔* Agency G ◔ ◔ ◔ ◔* ◕, Agency H ◔ ◔ ◔ ◔ ●, Agency I ◔ ◐ ◔* ◔ ◐
Audit assessment of agency maturity against cyber security culture requirements
Source: Audit Office analysis.

Some agency self-assessments were not accurate

Agency A, Agency B, and Agency C each over assessed their maturity for requirement 2.1 (implementing regular cyber security education for all employees and contractors, and ensuring outsourced ICT service providers understand and implement the cyber security requirements of their contracts). Each of these agencies self-assessed at level three but achieved only level two maturity because they did not ensure education is available for contractors and ICT service providers.

Agency D and Agency I assessed their maturity for requirement 2.3 (fostering a culture where cyber security risk management is an important and valued aspect of decision-making and where cyber security risk management processes are understood and applied) at level four. We assessed them at level two because their enterprise risk management framework had not been finalised or rolled out within the reporting period.

Agency F and Agency G over assessed their maturity for requirement 2.4 (ensuring people who have access to sensitive or classified information or systems and those with privileged system access have appropriate security screening, and that access is removed when they no longer need to have access, or their employment is terminated) at level three. We assessed them at level two because controls over the removal and auditing of access privileges were not performed on a regular basis.

Agency F over assessed their maturity for requirement 2.5 (sharing information on security threats and intelligence with Cyber Security NSW and cooperating across the NSW Government to enable management of government-wide cyber risk) at level 4. We assessed them at level two because an assessment of maturity above that level requires a defined workflow for information sharing as part of the procedures for incident management. This did not exist at this agency.

No participating agency had implemented all the cyber security culture mandatory requirements at maturity level three or higher

These requirements are intended to establish behaviours and attitudes across the organisation that adequately reflect the importance of cyber security risks.

The level of maturity attained by agencies indicates that these objectives are not being met, with the majority of audited agencies not reaching a ‘defined’ level of implementation of the requirements to:

  • Conduct regular cyber security education for all employees and contractors, and ensure that outsourced ICT service providers understand and implement the cyber security requirements under their contracts.
  • Foster a culture where cyber security risk management is an important and valued aspect of decision-making and where cyber security risk management processes are understood and applied.
  • Ensure that people who have access to sensitive or classified information or systems and those with privileged system access have appropriate security screening, and that access is removed when they no longer need to have access, or their employment is terminated.

Agencies without cyber secure awareness and behaviours are more susceptible to cyber attacks.

2.3 Managing cyber incident prevention requirements

The third of the set of five mandatory requirements address the prevention of cyber security incidents. These requirements are:

  • 3.1 Implement an Information Security Management System (ISMS) or Cyber Security Framework (CSF), with scope at least covering systems identified as an agency’s ‘crown jewels’. The ISMS or CSF should be compliant with, or modelled on, one or more recognised ICT/OT standard.
  • 3.2 Implement the ACSC Essential 8 - (for further details on the implementation of the Essential 8 refer to sections 2.6 and 2.8 of this report).
  • 3.3 Classify information and systems according to their importance (i.e. the impact of loss of confidentiality, integrity or availability), adhere to the requirements of the NSW Government Information Classification Labelling and Handling Guidelines and:
    • assign ownership
    • implement controls according to their classification and relevant laws and regulations
    • identify the agency’s ‘crown jewels’ and report them to Cyber Security NSW as per mandatory requirement 5.4.
  • 3.4 Ensure cyber security requirements are built into procurements and into the early stages of projects and the system development life cycle (SDLC), including agile projects.
  • 3.5 Ensure new ICT systems or enhancements include processes for audit trails and activity logging to assess the accuracy and integrity of data including processes for internal fraud detection.

Our assessment of the level of maturity at each participating agency in implementing the five cyber incident prevention requirements is summarised in the table below:

Table key: ○ Level one maturity, ◔ Level two maturity, ◐ Level three maturity, ◕ Level four maturity, ● Level five maturity, Ratings with asterisk indicate that the agency reported a higher rating than we found to be supported by evidence. How agencies score against requirements 3.1,3.2,3.3,3.4,3.5: Agency A ○ ○ ◐ ○ ○, Agency B ◔ ◔ ◐ ◔ ◔, Agency C ○ ◐ ○ ◐ ○, Agency D ◐ ◔ ○ ◔ ◔, Agency E ◐ ◔ ○ ◔ ◔, Agency F ◐ ◔ ◐ ◐ ◔, Agency G ○ ◔ ◕ ◔ ◔, Agency H ○ ◔ ◔ ◐ ◔, Agency I ◐ ◔ ◐ ◔ ◔
Audit assessment of agency maturity against cyber incident prevention requirements
Source: Audit Office analysis.

Requirement 3.2 mandates that agencies implement the Essential 8. The self-assessments against Requirement 3.2 measure the state of maturity in terms of the extent an agency has commenced implementing all the Essential 8 requirements (refer Appendix two). The actual implementation of each of the Essential 8 mitigation strategies is measured against the detailed criteria set out in the maturity model at Appendix three. The table above shows the agency aggregate assessment of Essential 8 implementation. Agencies must then make a detailed assessment of maturity against each of the Essential 8 mitigation strategies. We cover the results and accuracy of agencies’ assessment of their maturity in implementing mitigation strategies for the individual components of the Essential 8 at section 2.6 of this report.

Only one agency had achieved level three maturity against the aggregate maturity model at Appendix two, being ‘Implementation of the Essential 8 has commenced for all mitigation strategies and maturity is projected to improve year-on-year’. Notably, this does not mean all of the mitigation strategies have been implemented.

Seven agencies achieved level two maturity – ‘Implementation of the Essential 8 has not commenced for all mitigation strategies but there is a plan to begin implementation with CIO approval’.

One agency attained only level one maturity – ‘Implementation of the Essential 8 has not commenced for all mitigation strategies or implementation of the Essential 8 has not been approved by the CIO.’

The Essential 8 are the frontline of cyber attack prevention and are a series of practical controls to specifically address system vulnerabilities that leave agencies open to cyber-attacks. The low level of maturity agencies reported in regards to agencies’ overall maturity and the level to which they have progressed implementing each of the Essential 8 strategies should be of significant concern.

Some agency self-assessments were not accurate

Agency C and Agency G over assessed their maturity for requirement 3.1 (implementing an Information Security Management System (ISMS) or Cyber Security Framework (CSF), with scope at least covering systems identified as an agency’s 'crown jewels' that is compliant with, or modelled on, one or more recognised ICT/OT standard) at level three. We assessed them at level one because there were 'crown jewels' not covered by an ISMS, which is required for assessments at level two or higher. Each agency is required to nominate their crown jewels and register them with Cyber NSW.

Agency C and Agency E over assessed their maturity for requirement 3.3 (classifying information and systems according to their importance and applying the NSW Government Information Classification Labelling and Handling Guidelines) at level two. We assessed them at level one because an assessment at a maturity level above level one requires dedicated owners to be assigned to systems. This had not occurred at these agencies.

Agency A over assessed their maturity for requirement 3.4 (ensuring cyber security requirements are built into procurements and into the early stages of projects and the system development life cycle) at level two. We assessed them at level one because their project management process did not incorporate security considerations in the early stages. Agency H over assessed their maturity for this requirement at level four. We assessed the agency at level three because there was a lack of documentation of required formal procedures.

Agency A over assessed their level of maturity for requirement 3.5 (ensuring new ICT systems or enhancements include processes for audit trails and activity logging to assess the accuracy and integrity of data including processes for internal fraud detection) at level two. We assessed them at level one because the policy and procedures were not documented as required. Agency D, Agency F and Agency I over assessed their maturity at level three. We assessed them at level one because an assessment above this level requires the agency to have processes to ensure audit and activity logging is in place. This was not in place for these agencies.

We have previously reported in the Central Agencies 2019 Report to Parliament and the Central Agencies 2020 Report to Parliament that poor levels of maturity in implementing the Essential 8 is an area of significant concern that requires better leadership and resourcing to remediate to a minimum standard.

We deal with agency performance against this criteria in more detail at section 2.6.

No participating agency has implemented all the cyber security prevention mandatory requirements at maturity level three or higher

These requirements are intended to reduce the likelihood of a successful cyber-attack.

The level of maturity obtained by agencies indicates that these objectives are not being met, with the majority of audited agencies not reaching a ‘defined’ level of implementation of the requirements to:

  • implement an Information Security Management System (ISMS) or Cyber Security Framework (CSF), with scope at least covering systems identified as an agency’s ‘crown jewels’. The ISMS or CSF should be compliant with, or modelled on, one or more recognised ICT/OT standard
  • implement the ACSC Essential 8
  • ensure cyber security requirements are built into procurements and into the early stages of projects and the system development life cycle (SDLC), including agile projects
  • ensure new ICT systems or enhancements include processes for audit trails and activity logging to assess the accuracy and integrity of data, including processes for internal fraud detection.

Gaps in the framework for managing cyber security, and failures to implement prevention strategies can increase agencies' exposure to cyber threats.

2.4 Resilience requirements

The fourth of the set of five mandatory requirements address resilience. These requirements are:

  • 4.1 Have a current cyber incident response plan that integrates with the agency incident management process and the NSW Government Cyber Incident Response Plan.
  • 4.2 Test their cyber incident response plan at least every year, and involve their senior business and IT executives, functional area coordinators (if applicable), as well as media and communication teams.
  • 4.3 Deploy monitoring processes and tools to allow for adequate incident identification and response.
  • 4.4 Report cyber security incidents to Cyber Security NSW according to the NSW Cyber Security Response Plan.
  • 4.5 Participate in whole-of-government cyber security exercises as required.

Our assessment of the level of maturity at each participating agency in implementing the five cyber resilience requirements is summarised in the table below:

Table key: ○ Level one maturity, ◔ Level two maturity, ◐ Level three maturity, ◕ Level four maturity, ● Level five maturity, Ratings with asterisk indicate that the agency reported a higher rating than we found to be supported by evidence. How agencies score against requirements 4.1,4.2,4.3,4.4: Agency A  ◔*  ○*  ◔  ◕, Agency B  ◐  ○  ◔  ◐, Agency C  ◐  ◔  ◐  ◔, Agency D  ◐  ○  ◔  ◐, Agency E   ◐  ◐  ◔  ◐, Agency F  ◔*  ◔*  ●  ◕, Agency G   ◐  ◐  ◔  ◕, Agency H   ●  ◕  ◐  ◕, Agency I   ◐  ○  ◕  ◐.
Audit assessment of agency maturity against resilience requirements
Source: Audit Office analysis.

Some agency self-assessments were not accurate

Agency A over assessed their maturity for requirement 4.1 (having a current cyber incident response plan that is integrated with the agency's incident management process and the NSW Government Cyber Incident Response Plan) at level three. We assessed them at level two because their disaster recovery plan did not cater for cyber security incidents, which is a requirement of the maturity model. Agency F assessed their maturity at level four. We assessed them at level two because their incident management plan had not been updated since 2016, and was not current.

Agency A and Agency F over assessed their maturity for requirement 4.2 (testing cyber incident response plans at least every year, and involving senior business and IT executives, functional area coordinators and media and communication teams). The maturity model requires a test to have been conducted, either in the current year or at any time previously, to reach level two or above. Agency A self-assessed at level two but had never conducted testing. We assessed them at level one. Agency F self-assessed at level four, but had not tested their incident response plan within the current reporting period. We assessed them at level two.

Requirement 4.5 mandates that agencies take part in whole-of-government security exercises. This was the only requirement for which any agencies' self-assessed rating was lower than what was supported by the available evidence.

All agencies were represented at a whole-of-government exercise conducted in August 2019 (within the period covered by the self-assessments), and therefore should have assessed at level three or four. There was a planned whole-of-government exercise later in the year, which was cancelled due to restrictions arising from the pandemic. Because of this cancellation, some agencies reported at level one where they believed no exercise had taken place in the year.

Eight of the nine agencies had not implemented all the cyber security resilience mandatory requirements at maturity level three or higher.

These requirements are intended to ensure agencies can detect and respond to cyber incidents. The level of maturity attained by agencies indicates that these objectives are not being met, with the majority of audited agencies not reaching a ‘defined’ level of implementation of the requirements to:

  • Test their cyber incident response plan at least every year, and involve their senior business and IT executives, functional area coordinators (if applicable), as well as media and communication teams.
  • Deploy monitoring processes and tools to allow for adequate incident identification and response.

Inadequate identification and response to cyber incidents can increase the likely impact and duration of cyber attacks.

2.5 Reporting requirements

The last of the set of five mandatory requirements set out the reporting obligations, which are due by 31 August each year. These are not measured on a maturity model.

Agencies are required to:

  • report their maturity against the mandatory requirements in the format provided
  • report their maturity against the Essential 8 in the format provided
  • report cyber security risks with a residual rating of high or extreme
  • report their crown jewels
  • provide an attestation of their compliance signed by the agency head.

Attestations do not reflect the actual realities in levels of implementing the requirements

The CSP provides a proforma for agency heads to make the required annual attestations but encourages modification to suit the situation. The attestation should address the following:

  • the agency has assessed its cyber security risks
  • cyber security is appropriately addressed at agency governance forums
  • the agency has a cyber incident response plan, it is integrated with the security components of business continuity arrangements, and has been tested over the previous 12 months (involving senior business executives)
  • confirmation of the agency’s Information Security Management System (ISMS), Cyber Security Management Framework/s (CSF) and/or Cyber Security Framework (CSF) including certifications or independent assessment where available
  • what the agency is doing to continuously improve the management of cyber security governance and resilience.

The proforma contains the following draft attestation:

I, [name of Department Head or Governing Board of the Statutory Body], am of the opinion that [name of Department or Statutory Body] has managed cyber security risks in a manner consistent with the Mandatory Requirements set out in the NSW Government Cyber Security Policy.

Source: Cyber Security Policy, updated May 2020.

Of the nine participating agencies, seven did not modify the proforma wording in their attestation to acknowledge known gaps in their implementation of mandatory requirements and low maturity in some areas. Two agencies modified the wording to reflect their situation.

The Department of Customer Service responded to this finding by stating that it is incorrect because:

the example attestation is a suggested only and can be adapted to accurately reflect the circumstances of the agency or cluster, but not that it must be adapted.

It is our view that any attestation should reflect the facts and substance of the subject matter, and not simply replicate the wording in a proforma.

Attestations should be accurate and demonstrate that management’s response to the risk of cyber attack is informed by an understanding of the gaps in their implementation of the policy requirements and the Essential 8. Without an acknowledgement of these gaps, risk management decisions may not be appropriate to the actual level of risk faced by the agency.

Alignment between attestations and implementation of the mandatory requirements
Agency Number of the 20 mandatory
requirements self-assessed at
level three or above
Modified wording of attestation
to reflect incomplete implementation
Agency A 7
No
Agency B 10
No
Agency C 14 Yes
Agency D 11
No
Agency E  12
No
Agency F  19
No
Agency G  9 Yes
Agency H  10
No
Agency I  11
No

Source: Audit Office Analysis

2.6 Implementing the Essential 8

Requirement 3.2 of the CSP mandates that agencies implement the Essential 8.

The ACSC recommends the Essential 8 as important controls in preventing cyber attacks

The Australian Cyber Security Centre (ACSC) was established in 2014 to lead the Australian Government's work to improve cyber security. ACSC is part of the Australian Signals Directorate within the Defence portfolio. The ACSC has defined 37 cyber security strategies, prioritising eight of these as a baseline for all organisations in mitigating cyber-attacks. These eight highest priority strategies are called the ‘Essential 8’.

The guidance from ACSC7 states that:

As a baseline, organisations should aim to reach maturity level three for each mitigation strategy

The CSP requires agencies to report maturity against the Essential 8 using a four point scale based on the ACSC maturity model. The ACSC maturity model for the Essential 8 has been revised a number of times, including a significant revision in July 2021. At the time of the audit, the broad definitions in the CSP for each maturity level8 were:

  • Level Zero: Not meeting the criteria for Level One
  • Level One: Partly aligned with the intent of the mitigation strategy
  • Level Two: Mostly aligned with the intent of the mitigation strategy
  • Level Three: Fully aligned with the intent of the mitigation strategy.

The specific maturity levels used by Cyber Security NSW for reporting and that were applicable at the time of the audit are detailed at Appendix three.

The Essential 8 are key IT controls aimed at protecting against cyber attack

  Requirement Importance
Mitigation strategies to prevent malware delivery and execution
1. *Application control (whitelisting) to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers. Non-approved applications (including malicious code) are prevented from executing. It is more effective than traditional anti-virus or anti-malware programs and can stop attacks that are not blocked by these tools.
2. *Patch applications e.g. Flash, web browsers, Microsoft Office, Java and PDF viewers. Patch/mitigate computers with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest version of applications. Security vulnerabilities in applications can be used to execute malicious code on systems.
3.  Configure Microsoft Office macro settings to block macros from the internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate. Microsoft Office macros can be used to deliver and execute malicious code on systems.
4. User application hardening. Configure web browsers to block Flash (ideally uninstall it), ads and Java on the internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers. Flash, ads and Java are popular ways to deliver and execute malicious code on systems.
Mitigation strategies to limit the extent of cyber security incidents
5. *Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing. Admin accounts are the ‘keys to the kingdom’. Adversaries use these accounts to gain full access to information and systems.
6. *Patch operating systems. Patch/mitigate computers (including network devices) with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest operating system version. Don't use unsupported versions. Security vulnerabilities in operating systems can be used to further the compromise of systems.
7. Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high-availability) data repository. Stronger user authentication makes it harder for adversaries to access sensitive information and systems.
Mitigation strategies to recover data and maintain system availability
8. Daily backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes. To ensure information can be accessed following a cyber security incident (e.g. a ransomware incident) limiting the loss of data to no more than one day.

* Denotes this strategy is part of the 'top four'. Refer to Appendix three.

Cyber Security NSW modified the ACSC model for implementation of the Essential 8

The NSW maturity model used for the Essential 8 does not fully align with the ACSC’s model. At the time of this audit the major difference was the inclusion of level zero on the CSP maturity scale, broadly meaning that the relevant cyber mitigation strategy is not implemented, or is not applied consistently. Level zero had been removed by the ACSC in February 2019 and was not part of the framework at the time of this audit. It was re-introduced in July 2021 when the ACSC revised the detailed criteria for each element of the essential 8 maturity model. The indicators to reach level one on the new ACSC model are more detailed, specific and rigorous than those currently prescribed for NSW Government agencies. Cyber Security NSW asserted the level zero on the CSP maturity scale:

is not identical to the level zero of the ACSC’s previous Essential 8 maturity model, but is a NSW-specific inclusion designed to prevent agencies incorrectly assessing as level one when they have not achieved that level.

No participating agency has implemented all of the Essential 8 controls at level one or above

Number of participating agencies achieving each maturity level against the Essential 8
Essential 8 mitigation strategies Maturity level zero Maturity level one Maturity level two Maturity level three
Application control (whitelisting)* 9 -- -- --
Patch applications* 6 1 2 --
Configure Microsoft office macro settings  7 1 -- 1
User application hardening  8 -- -- 1
Restrict administrative privileges*  4 5 -- --
Patch operating systems*  8 -- 1 --
Multi-factor authentication  3 6 -- --
Daily backups  1 5 3 --
* The asterisk denotes that this strategy is part of the ‘top four’ (Appendix three).
Note: Maturity levels for the Essential 8 are described in section 1.3 of this report.
Source: Audit Office analysis.

Few controls were implemented in a way that could be considered fully or mostly aligned with the cyber security strategy. Some strategies have been implemented by very few or none of the agencies. The most common level of implementation of Essential 8 controls was level zero - that is, the control had not been implemented, or is not applied consistently. Other controls were only partially implemented by agencies.

The ACSC advises that the baseline all organisations should aim to reach is maturity level three for each of these 8 highest priority strategies to mitigate cyber security incidents .

Agency B had implemented two of the Essential 8 strategies to level three - fully aligned with the strategy. No other participating agency had implemented any of the Essential 8 to this level.

The two least implemented controls were application whitelisting and user application hardening. Whitelisting prevents malicious code from executing, protecting against many types of attack such as trojans and phishing attacks. It is more effective than traditional anti-virus or anti-malware programs and can stop attacks that are not blocked by these tools. Implementing application whitelisting can be costly, and some of our participating agencies reported cost as an impediment to implementing sufficient measures in the short term. Application hardening removes insecure or non-essential elements which might be used by attackers.

The lack of multifactor authentication contributed to the cyber attacks on Service NSW in March 2020, in which staff members had their email accounts accessed without authorisation, and documents containing personal information on NSW residents were compromised. This was reported in the Auditor-General's report on the Service NSW's handling of personal information tabled on 18 December 2020.

We reported the status of implementing the Essential 8 in the Central Agencies 2019 Report to Parliament and the Central Agencies 2020 Report to Parliament. We recommended in those reports that Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cyber security resilience as a matter of urgency. The poor levels of maturity in implementing the Essential 8 is an area of significant concern that requires better leadership and resourcing.

Agencies’ implementation of the ‘top four’ cyber controls is poor

Four of the Essential 8 strategies (the ‘top four’) have previously been assessed by the Australian Signals Directorate as mitigating:

Over 85 per cent of adversary techniques used in targeted cyber intrusions which ASD has visibility of.10

The top four controls11 are:

  • Application whitelisting
  • Patching applications
  • Patching operating systems
  • Restricting administrative privileges.

There is currently no requirement in NSW for any agency to implement the ‘top four’ to any designated level of maturity.


2.7 Accuracy of self-assessments

Participating agencies were not able to support all of their ratings with evidence

Seven of the nine participating agencies had reported levels of maturity against both the mandatory requirements and the Essential 8 that were not supported by evidence.

Each of the nine participating agencies for this audit had overstated their level of maturity against at least one of the 20 mandatory requirements. Seven agencies were not able to show evidence to support their self-assessed rating across all of the Essential 8 controls.

Accuracy of self-reported maturity against the mandatory requirements
Agency Number of requirements for which evidence did not support the stated level of maturity
Agency A 5
Agency B 2
Agency C 4
Agency D 2
Agency E  1
Agency F 5
Agency G  2
Agency H  1
Agency I  2
Total 24
Source: Audit Office analysis.

Inaccurate self-assessments limit the effectiveness of risk management strategies as the level of risk exposure is not properly considered or understood

For all except one requirement the inaccuracy overstated the level of implementation. Most inaccuracies arose from a misunderstanding of the maturity model or applying the model without fully considering all aspects of the environment. The reasons for inaccuracy in the self-assessments against the mandatory requirements included are detailed in the relevant sections of this report.

Inaccuracies in self-assessments against the Essential 8 were generally that some but not all aspects of the strategy had been implemented, or that the strategy was being implemented but had not been completed by the reporting date.

Agency ratings for these were either level one or level two, and in every case we assessed the level of maturity at zero:

  • Two agencies over-assessed their implementation of application whitelisting. One agency relied on mitigating controls but had not implemented the specified control - i.e. to run only executables which are defined in an approved whitelist. The other agency had not completed their implementation at the time of reporting.
  • Two agencies over-assessed their patching of applications, and four agencies over-assessed patching of operating systems. These agencies had applications or operating systems that were no longer supported by the vendor with patches.
  • Four agencies over-assessed their configuration of macros and three agencies over-assessed their application hardening, either because they had not implemented all elements of the strategy, or because implementation was still underway at the time of reporting.
  • Three agencies over-assessed their restriction of privileged access. In one case access levels for privileged accounts did not prevent reading emails and web browsing. Two other agencies' assessments were inaccurate because of ineffective operation of controls to approve new privileged user accounts and review existing privileged accounts.
  • One agency over-assessed daily backups as they could not evidence that backups were stored for the period required or tested periodically.
  • One agency over-assessed their multifactor authentication as it was not applied to all privileged accounts.

2.8 Self-reported levels of implementation across government

Agencies are required by the CSP to report their self-assessed levels of cyber maturity to Cyber Security NSW. 2020 was the second year of reporting, and this section reports observations from the self-assessed ratings submitted by 104 agencies, nine of which were audited and their results reflected in the earlier sections of this report. One hundred and three of these agencies submitted self-assessed ratings against the Essential 8. The analysis below indicates the need for prioritised and urgent improvement to agencies’ cyber security and resilience across the sector.

Agencies across government self-assessed low levels of maturity in implementing the mandatory requirements

Only five out of the 104 agencies self-assessed that they have implemented all of the mandatory requirements at level three or above (on the five point maturity scale, refer Appendix two). This means that, according to their own self-assessments, 99 agencies practiced the requirements in the framework in a way that can be described as either ad hoc, or not practiced at all. Two agencies self-assessed that they have not reached this level for any of the mandatory requirements, and a further three agencies have reached this level for only one requirement. One of these agencies lists critical infrastructure systems among systems it identified as being one of its crown jewels. Forty-seven agencies reported not having reached level three for more than half of the 20 mandatory requirements.

The requirements which were most commonly reported to be below level three include:

  • 43 agencies self-reported below level three for requirement 1.3 (an approved cyber security plan to manage the agency’s cyber security risks, integrated with business continuity arrangements)
  • 34 agencies self-reported below level three for requirement 3.5 (ensure new ICT systems or enhancements include processes for audit trails and activity logging to assess the accuracy and integrity of data including processes for internal fraud detection)
  • 42 agencies self-reported below level three for requirement 4.1 (have a current cyber incident response plan that integrates with the agency incident management process and the NSW Government Cyber Incident Response Plan).

Some agencies have reported improvement since 2019, others have declined

Forty-nine agencies self-assessed and reported their maturity ratings against the mandatory requirements in both 2019 and 2020. Since 2019, most agencies had improved their rating against one or more requirements, and also reported a lower rating in one or more other requirements.

Of those 49 agencies reporting in both years:

  • 25 agencies reported a net improvement (reporting improvements against more requirements than those where they declined)
  • 21 agencies reported a net decline (reporting they declined against more requirements than those where they improved)
  • 3 agencies improved and declined against the same number of requirements.

The Department of Customer Services, whilst acknowledging the above information is correct, contended that:

it does not account for modifications to the policy between 2019 and 2020 and further clarifications and guidance which were designed to help agencies with more accurate understanding and assessment.

Our findings, based on this audit, would indicate that accuracy in the self-assessment process still has some way to go.

Most agencies had not implemented all of the Essential 8 controls at level one or above

Fourteen agencies have reported that they implemented the Essential 8 controls at level one maturity or higher. The remainder of agencies (89 of the 103 agencies) have not reached this level against one or more of the Essential 8 controls. A further agency reported on other aspects of its cyber security implementation but did not report on its implementation of the Essential 8.Failing to implement these strategies to mitigate cyber incidents increases the exposure to intrusions and ransomware, and as reported in the Central Agencies 2019 Report to Parliament and the Central Agencies 2020 Report to Parliament, there is an urgent need to uplift cyber security resilience.

Maturity in some Essential 8 controls has reduced since 2019

Patching operating systems, multifactor authentication, performing daily backups and application whitelisting all require improvement.

Of those 48 agencies that reported their maturity against the Essential 8 in both 2019 and 2020:

  • 25 agencies reported a net improvement (they improved against more requirements than they declined)
  • 14 agencies reported a net decline (they declined against more requirements than they improved)
  • 9 agencies improved and declined against the same number of requirements.

Across the Essential 8 and the mandatory requirements:

  • 14 agencies improved across both the Essential 8 and the mandatory requirements
  • 8 agencies declined in both the Essential 8 and the mandatory requirements.

Twenty-three agencies did not meet the reporting and attestation requirements

Of the 104 agencies required to report:

  • 15 agencies did not submit their reports by the 31 August deadline
  • 1 agency reported on time but did not use the required format
  • 8 agencies had not had their attestations signed by the Agency Head at the time of reporting to Cyber Security NSW.

Appendices

Appendix one – Response from agencies

Appendix two – The maturity model for the mandatory requirements

Appendix three – Essential 8 maturity model

Appendix four – About the audit

 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.