A number of Machinery of Government changes were announced during 2023 through Administrative Orders, which have affected the structure and names of some agencies in the scope of this report. These are listed in the table below.

The graph above shows that 62% of the deficiencies (67% in 2021–22) were financial or IT operational deficiencies, with the remainder split among compliance deficiencies (12% compared to 19% in 2021–22), governance deficiencies (seven per cent compared to six per cent in 2021–22), and reporting deficiencies (19% compared to eight per cent in 2021–22).

The table below describes the most common deficiencies across agencies, including their risk rating, the number of repeat deficiencies and the recommendations communicated to management and those charged with governance.

Risk levels of IT related findings have decreased

Risk levels of IT related control findings have decreased from 2022 to 2023. For Financial and Other control findings, there has not been a noticeable difference in risk levels from last year.

The graph below shows the risk ratings of reported control deficiencies. 

Repeat findings have reduced from 48% to 38% of all findings

As a percentage of total internal control deficiencies, unresolved deficiencies from prior years now represent 38% of all internal control deficiencies identified (48% in 2021–22). 

At least 11 repeat findings reported in 2022–23 had been repeated since 2018. These need to be resolved by the relevant agencies as a priority.

Vulnerabilities in internal control systems can be exploited by internal and external parties and pose a threat to agencies. The longer these vulnerabilities exist, the higher the risk that they will be exploited and the higher the expected losses. Agencies need to address these vulnerabilities by ensuring:

• there is clear ownership of the recommendations raised in respect of internal control deficiencies, including timeframes and action plans for their implementation
• audit and risk committees, and agency executive teams, monitor the implementation status regularly, focusing on those actions that are past due or have deferred implementation dates.

It is common for small or medium organisations to use shared service providers for IT systems and finance processes. In the NSW public sector, there are five agencies that operate IT shared services for more than 80 agencies. Where services are performed by another party, the agencies themselves remain accountable to ensure those services provided meet their requirements, and that the shared service provider maintains an appropriate level of controls within the systems to protect the integrity and confidentiality of data to which they have access.

Advantages of relying on other agencies for these functions include:

• economies of scale and reduced cost per person or transaction through centralisation of common processes for agencies with a similar culture, risk and industry
• reduced duplication of functions and processes across agencies
• potential for reduced disruption from some Machinery of Government changes.

The risks of interagency service reliance include:

• issues and problems could become pervasive across the set of agencies. This occurred with the Department of Customer Service in 2022 and was reported in our Customer Service 2022 report
• generalisation and loss of specialist and specific agency knowledge
• lack of clarity for what services are provided and service levels for customers
• lack of visibility over control deficiencies or incidents that occur at the shared service provider but impact the data belonging to the (customer) agency
• lack of clarity of responsibilities between providers and customers
• gaps or duplication of processes, checks and controls between provider and customer
• additional governance, accountability and assurance processes are required to ensure delivery of high performing services
• uncertainty of governance and accountability when agencies are reorganised due to Machinery of Government changes as previously reported in Machinery of government changes.

IT governance provides a framework for accountability and transparency in how IT is managed in alignment with the agency’s objectives.

We evaluated the following as part of all audits for the agencies in this report:

• policies and standards are defined and are current over all key areas of IT
• IT management identify and document risks, and report significant risks to senior management of the agency
• management obtains independent assurance that service providers maintain an appropriate level of control over their environment, proportionate to the reliance placed on that service provider.

From the audit work performed, the following themes were identified.

Four agencies did not have current IT policies and standards in place

Sixteen per cent of agencies had IT policies or standards which were either not formalised, not current or not complete. This has reduced compared to previous years (33% in 2021–22 and 24% in 2020–21), but improvement is still needed.

Risk

Agencies should ensure IT policies remain relevant and current, especially after agency administrative changes (also known as Machinery of Government changes). These changes can abolish or create agencies, transfer policy, programs and service delivery to other agencies.

Supporting policies and standards do not always keep up with the transfer, and agencies need to evaluate where supporting IT functions and risks change and need updating. Machinery of Government changes have impacted ten of the 25 agencies since March 2023.

IT risks are identified and reported to senior management

All 25 agencies maintained a register of IT risks, and reported major risks to senior management outside the IT function.

Risk

Weaknesses in third-party IT service providers

Twelve per cent of agencies have deficiencies in their oversight of IT service providers or other organisations that are able to access their data. Gaps include failing to:

• review independent audit reports on the effectiveness of controls of a service provider
• apply information security to a service provider that handles sensitive personal data
• perform a risk assessment over all service providers used for IT services
• hold third parties accountable to meet their security obligations under agreements. 

Risk

Agencies should be aware of the risks arising from engaging a third party to provide services, or allowing third parties to access or store their data. Agencies should ensure that third parties are:

• obliged to maintain effective controls over their own environments
• provide a level of protection over data comparable to that if the agency still held the data
• are held accountable to meet their obligations
• applying adequate oversight to mitigate the risk of service providers to their third parties (sometimes called ‘fourth party risk’).

Third parties subject to a high level of oversight provide agencies with an independent assurance report detailing the effectiveness of controls over the reporting period. Agencies should ensure that weaknesses or incidents identified in these reports are responded to appropriately.

IT access management ensures that transactions and changes made to data are performed in the normal course of business by authorised staff.

We evaluated the following as part of the audits of all agencies in this report:

• access is approved
• access is removed when no longer required
• access rights are reviewed periodically and excessive access, if identified is removed
• highly privileged accounts are restricted and monitored
• systems are configured to reduce the risk of guessing or otherwise determining an account password.

From the audit work performed, the following themes were identified.

Eight agencies failed to effectively restrict user access to current and approved staff

Thirty-two per cent of agencies had ineffective processes to ensure that access was approved before it was provided to users, and that access was removed promptly when no longer needed. Four lead IT agencies had ineffective processes, and two of these agencies separately manage the financial systems for another four agencies. These agencies were unable to show evidence of approval for the access provided to some users and had failed to disable all access once users had left the organisation.

Risk

Agencies should ensure that access is approved before being provided and that evidence of approvals is retained.

Twelve agencies failed to effectively review and revalidate user access

Forty-eight per cent of agencies had deficiencies in their review and revalidation of user access. These gaps included:

• not keeping sufficient records to indicate the purpose or approach of the review
• only reviewing access for terminated staff accounts, but not revalidating that access was appropriate for other accounts
• commencing a process to revalidate user access, but the process remained incomplete as not all business areas had responded to confirm access remained appropriate
• not reviewing access for all key systems or for all accounts on those systems, or performing only informal, undocumented reviews
• performing reviews that did not identify access permissions in excess of requirements.

This deficiency is down from 56% in 2022 and 60% in 2021.

Risk

Agencies should regularly perform reviews of user access to ensure the existing access permissions are appropriate, and user accounts are still required. Corrective action should be prompt and evidence of changes retained.

Agencies are not effectively restricting and monitoring privileged users’ access

Thirty-six per cent of agencies had deficiencies in their controls over privileged users’ accounts. Eight lead agencies had these deficiencies, with one agency managing the system for another agency. This is unchanged from the 36% we observed in 2022.

Deficiencies included:

• using generic accounts with full system access
• failing to restrict privileged user access only to those users who require that level of access
• failing to monitor or review activity performed using privileged user accounts.

Risk

Agencies should restrict the privileged user accounts, granting that level of access only on an ‘as needs’ basis. Agencies should regularly monitor or review activity by privileged users.

Agencies have improved compliance with their own password policies

This year, only one agency (four per cent) (28% in 2022) had not implemented password parameters in line with their own policies through system configuration.

The deficiencies repeated from prior year are:

• minimum and maximum password age not applied (such as prompting the periodic change of passwords), and no formal periodic process to manually require password changes
• use of default and generic passwords.

Risk

Agencies should ensure that their password policy and standards are in line with current good practice on effective use of passwords or passphrases, and should ensure that their own standards are enforced through system configuration.

Management of IT changes ensures that changes to how programs work are in line with requirements, that unintended or unauthorised changes are not made. These management checks and reviews should be designed and enforced so they cannot be avoided, even when there is excessive access to both make and implement changes.

We evaluated the following as part of all audits for the agencies in the report:

• changes are appropriately tested before implementation to validate that systems operate as intended
• changes are authorised to ensure they are in line with business requirements and expectations, and have been adequately documented and reviewed
• duties are segregated to prevent people from making changes and then implementing them without independent approval.

From the audit work performed, the following themes were identified.

Agencies can still improve controls to better manage program changes

Twelve per cent of agencies did not segregate the developer access from the access to migrate the change into the production system. A lack of segregation allows changes to be made without an independent check, and could allow unauthorised changes to enter the production system. Where agencies allow these practices due to the small size of their specialist teams, additional governance and monitoring processes have not been implemented to reduce the risk.

This issue has improved on prior years, down from 20% in 2022 and 32% in 2021.

Risk

Agencies should ensure that IT changes are appropriately tested, changes are authorised and there is a segregation of duties between those who can make changes and those who can implement changes.

Two agencies did not keep sufficient records of system implementation authorisations

We reviewed two system implementations in the year, and in both cases, there were inadequate records to demonstrate achievement of key milestones, including successful data migration testing and approval for go-live.

Risk

Agencies should formally record significant decisions and approvals during system implementations.

Management of IT operations ensures that key IT processes operate as expected, and that interfaces between systems are complete and accurate, so there is integrity of the data and information transferred.

We evaluated the following as part of all audits for the agencies in the report:

• key processes are monitored and action is taken to resolve issues identified
• key financial data is backed up, and agencies validate that backed up data can be restored
• disaster recovery plans are documented and tested.

From the audit work performed, the following themes were identified.

One agency needed to improve monitoring of key interfaces between finance systems

One agency did not have a control to ensure completeness and accuracy of an interface between finance systems. Our testing found discrepancies between the systems, which ought to have been synchronised if the interface was working correctly.

Monitoring is used to identify when key interfaces or batch jobs are interrupted or incomplete, and to ensure no data or transactions are missed. Interfaces and batch jobs allow for the correct calculation, reporting and processing of financial information to management, customers and suppliers.

The agency has committed to resolving this weakness by October 2023.

Risk

Four agencies do not have current disaster recovery plans (DRPs) or have not tested those plans

Sixteen per cent of agencies have deficiencies in their planning for recovering from disasters. Gaps included:

• three agencies have not tested one or more DRPs for a key finance system
• one agency does not have a DRP for a key system.

A disaster recovery plan helps agencies maintain IT services in the event of a service disruption, or restore IT systems and infrastructure in the event of a disaster or similar scenario.

Risk

Agencies should document plans to recover key systems and data in the event of a disaster, and test these plans.

There are key controls over purchasing and payroll systems that are common across most organisations.

These controls reduce the risk of unauthorised transactions or payments through those applications.

We evaluated the following as part of all audits for the agencies in this report:

• key transactions such as generating payment files are restricted to staff in appropriate roles
• segregation of duties is enforced, such as separating maintenance of masterfile data (for example, vendor bank details) and entering/approving invoices
• payment files are encrypted.

From the audit work performed, the following themes were identified.

Access is not effectively restricted for all sensitive payroll and finance system functions

Twenty-four per cent of agencies had not effectively restricted access to sensitive payroll functions only to staff who require this access to perform their role. Deficiencies at one of these agencies (a lead IT agency) impacts three other agencies. Another agency had not effectively restricted access to key transactions in its finance system only to those staff who require that level of access to perform their role.

Examples of inappropriate or excessive access include user accounts that can change rates of pay and bank account details, even though this access is not required in their roles.

Risk

Agencies should ensure that access to perform higher risk activities in finance systems is restricted only to users who require that level of access to perform their role.

Agencies should define what segregations of duties are required in their business processes

Twenty-four per cent of agencies have not defined the duties that should be segregated in their financial transaction processing. These six agencies comprise four lead IT agencies, with one of these agencies processing financial transactions on behalf of two dependent agencies.

Major finance applications allow for the enforcement of access rights in such a way that no single user can perform all the steps required to process certain transactions or other high-risk activities, reducing the risk of undetected fraud.

These can be configured when implementing the system, and should be based on commonly known risks as well as business-specific requirements.

Two agencies have not defined their own requirements, and have either configured segregations directly in the system without first documenting them, or have adopted the default settings in the system without considering their suitability for their business processes and risks.

We noted two agencies did not restrict all basic segregation of duties in their financial system for vendor master changes. Agencies need to review their procedures and roles so they can appropriately monitor and correct changes.

Some agencies have not implemented segregation of duties in their payroll system

Thirty-two per cent of agencies had not implemented segregations of duties over key payroll functions, with one further agency implementing due to a change in their payroll system part way through the year (but not in effect for most of the year). One of these lead IT agencies manages the payroll for three other agencies. System enforced segregation of duties in payroll can reduce the potential for fraud and error in payroll transactions by preventing errors and irregularities in the process. Enforcing this through the IT systems ensures a consistent and efficient management of this risk. Some agencies choose not to implement system-based segregation of duties, but then require additional controls to identify errors and irregularities, and corrective controls to address the errors when they are identified.

One agency had users with inappropriate access to edit the employee master file. The inappropriate users included accountants and reporting analysts who do not require access to update and edit personnel information as part of their role.

Risk

Agencies should define the segregations of duties applicable to their business processes, including payroll functions, and ensure these are configured so they are enforced by the finance and payroll systems.

Most agencies use encryption to ensure secure pay instructions are not modified

Twelve per cent of agencies did not encrypt payment files after being generated. One agency processes payroll on behalf of itself and two other dependent agencies covered by this report.

Files are protected by encryption while being transmitted to the bank, but before transmission, they are stored on agency systems in an unencrypted format. Banks recommend that payment files are encrypted upon generation. This reduces opportunities for the data to be changed, and also protects the confidentiality of the personal sensitive data that may be contained in those files.

One agency does encrypt some of its payment files, but not all due to technical incompatibility between the various technologies in use. They rely on reconciliations to detect any unauthorised changes, which might detect monetary changes, but is unlikely to detect changes in key fields such as account numbers.

Risk

Agencies should encrypt payment files where it is feasible to do so.

Our performance audit report on Cyber Security NSW: governance, roles and responsibilities was tabled on 8 February 2023. That report found that Cyber Security NSW:

• has a clear purpose that is in line with wider government policy and objectives. However, it does not clearly and consistently communicate its key objectives, with too few reliable and meaningful ways of measuring progress toward those objectives
• does not provide adequate assurance of the cyber security maturity self-assessments performed by NSW government agencies. Department heads are accountable for ensuring their agency's compliance with NSW government policy
• has a remit to assist local government to improve cyber resilience. However, it cannot mandate action and does not have a strategic approach guiding its efforts.

The report made four recommendations. By 30 June 2023 the Department of Customer Service should:

1. implement an approach that provides reasonable assurance that NSW government agencies are assessing and reporting their compliance with the NSW Government Cyber Security Policy in a manner that is consistent and accurate
2. ensure that Cyber Security NSW has a strategic plan that clearly demonstrates how the functions and services provided by Cyber Security NSW contribute to meeting its purpose and achieving NSW government outcomes
3. ensure that Cyber Security NSW has a detailed, complete and accessible catalogue of services available to agencies and councils
4. develop a comprehensive engagement strategy and plan for the local government sector, including councils, government bodies, and other relevant stakeholders.

The Department of Customer Service accepted all four recommendations and has progressed several initiatives to fulfil them.

This report focuses on cyber security risks identified in our financial audits. Our financial audits consider cyber security planning and governance (with a focus in the current year on the detect and respond components of the NSW Cyber Security Policy), and the potential impact of incidents on the financial statements we audit.

Maturity against Essential Eight

Cyber is a ubiquitous risk. Responding to cyber risk is challenging for agencies as the environment is highly dynamic. A pragmatic and proportional response to the risk each agency faces is required, given the most appropriate strategies, controls and safeguards are constantly evolving. This needs to be kept in mind when considering the following reporting on the Essential Eight. The Essential Eight Maturity Model itself keeps changing, introducing new requirements, and changing or dropping others. Therefore, reporting on maturity and the setting of target maturities has its limitations. However, at an aggregate level, the following information is insightful as to how the sector is responding to the risk of cyber.

The Australian Cyber Security Centre (ACSC) periodically updates the Essential Eight maturity model in response to the observed techniques in use by malicious actors.

The Essential Eight maturity model uses a four-point scale. The definitions for each maturity level are: 

Essential Eight Maturity Model

The ACSC suggests that:

Essential Eight controls were reported to CSNSW on outdated requirements

New South Wales agencies were required to assess their cyber maturity at 30 June 2023 against the October 2021 version of the ACSC Essential Eight maturity model, though it has been superseded. Six of the eight Maturity requirements remained unchanged in the November 2022 update. CSNSW advise that an assessment against the former model allows direct comparability with previous years and visibility on year-on-year trends.

The ACSC however, strongly encourage organisations to use the latest version:

The NSW Cyber Security Policy recognises the ACSC's Essential Eight has regular updates as a baseline of mitigation strategies and encourages agencies to refer to the latest version. CSNSW advise they are in discussion with the ACSC and will update the NSW Cyber Security Policy in consideration of the current and future Essential Eight models, its limitations and how to set the best minimum standards for agencies.

Essential Eight maturity levels have remained unchanged or have declined

The median reported maturity shows no improvement in agencies' implementation of the Essential Eight controls since the introduction of the reporting requirement, and there has been a decrease in median maturity reported for patching operating systems and restricting administrative privileges.

Maturity against some Essential Eight strategies has decreased

The table below reports the maturity levels of NSW government agencies reported in implementing the former model of the Essential Eight cyber risk mitigation controls, using the previously mentioned scale from zero to three. The movement indicator shows whether there has been an overall increase or decrease in maturity levels from 2022 based on the relative percentages of self-assessments in each maturity level. 

There has not been a consistent improvement in maturity across agencies, with half of the controls showing only small improvements, while half have decreased. Decreased maturity was reported for patching, application hardening and managing administrative privileges. As highlighted in section 3.3 above, we continue to report control deficiencies in restricting and monitoring privileged access at agencies, and these findings need to be addressed by the agencies as a priority.

Essential Eight maturity may not be suitable for the level of risk agencies face

Eighty-five per cent of maturity assessments have not reached level one maturity across each of the Essential Eight. Maturity level one is recommended by the ACSC for small to medium enterprises to address threat actors with low sophistication and using commonly available tools.

Ninety-four per cent of maturity assessments have not reached level two maturity across each of the Essential Eight. Maturity level two is recommended for large enterprises to address more capable threat actors using common techniques. We consider large departments, particularly those involved in service delivery to NSW citizens and those that hold data related to NSW citizens to be large enterprises.

Just one assessment of the 110 has reported that it has implemented all of the Essential Eight at level three. This maturity level is recommended for organisations that operate in a high threat environment, and is appropriate to address more sophisticated and targeted attacks from well funded and organised groups. This is an agency with fewer than 50 staff and an ICT budget under $300,000.

Target maturity across government

In 2022, agencies reported their target maturity for 2023 against the Mandatory Requirements and the Essential Eight, along with their assessed maturity level.

Agencies are targeting low levels of maturity

Target maturity for June 2024 remains low for many agencies. Of the 110 maturity assessments:

• 45 agencies (41%) have a target of below three for one or more Mandatory Requirements (this was 36% in 2022)
• 26 agencies (24%) have a target of zero for one or more Essential Eight (this was also 24% in 2022)
• 72 agencies (65%) have a target of below two for one or more of the Essential Eight (this was 64% in 2022).

Target maturity for the largest agencies

Due to changes in Machinery of Government and other changes in how agencies report, as well as the limited applicability of the Essential Eight for some types of systems, not all in-scope agencies have comparable data across 2022 and 2023. We identified 23 agencies that have reported comparable data for the Mandatory Requirements, and 21 agencies that have comparable data for the Essential Eight.

We compared the 30 June 2023 targets reported in 2022 with the current maturity reported in 2023 for these agencies.

No agency met all their June 2023 Mandatory Requirement maturity targets

Of the 23 agencies with comparable data, none of them reported meeting all their targets for 2023, as reported in 2022, against all the Mandatory Requirements.

All agencies had met their target for at least one of the requirements, and on average agencies reported 11.5 of the 20 requirements (57%) at or above the target they set for 2023, with 8.5 requirements (43%) below target.

No agency met all their June 2023 maturity targets for the Essential Eight

Of the 21 agencies with comparable data, none reported their current 2023 maturity at or above the target set in 2022, against all of the Essential Eight.

Three agencies (14%) had not met their 2023 target for any of the Essential Eight, and 18 had met their target for at least one of the Essential Eight.

On average, agencies reported 3.4 of the eight requirements (42%) at or above their reported 2023 target, with 4.6 requirements (58%) below target.

As reported in 2022, 92% of the 25 in-scope agencies had approved plans and 88% of agencies had approved budgets to meet these targets.

Cyber Incident Response Plans

The NSW Cyber Security Policy states that agencies must have a current cyber incident response plan, which integrates with the agency incident management process and the NSW Government Cyber Incident Response Plan. These plans should prepare agencies to identify and respond to cyber incidents when they occur, and minimise the impact to the agency and its stakeholders.

One agency has not developed their own Cyber Incident Response Plan

All 25 agencies have a cyber incident response plan.

One agency relies on the NSW Cyber Incident Plan and did not tailor this plan for their own agency. However, they use the Plan as a framework and tailored their supporting incident responses. Apart from this agency, the remaining 24 agencies integrated their agency incident management plans with the NSW Government Cyber Incident Response Plan.

The use of the standard NSW Cyber Incident Plan may not meet the operating requirements, risk appetite and threats specific to each agency. This could affect the scope and ability for an agency to adequately respond to an incident.

Some plans do not consider vendors in their Cyber Incident Response Plan

Twelve per cent of cyber incident response plans did not specify vendors in the response to cyber incidents.

Excluding vendors out of the incident response may weaken containment objectives and increase the outage of business operations. Vendors may include IT service providers and business suppliers, both within government and from the private sector.

Agencies should specifically include vendors in their cyber incident response plans.

Three agencies have documented incident responses for only one cyber security scenario

We noted 12% of agencies have detailed incident procedures and responses for only a ransomware scenario in their playbook. Playbooks are documented incident responses that are tailored to address plausible cyber security incidents, and support the cyber incident response plans. Playbooks could cover scenarios such as (but not limited to) denial of service attacks, website defacement, compromise by an external attack, phishing and data breaches. Cyber security playbooks allow agencies to have a planned and standardised approach for responding to these plausible cyber security scenarios.

Agencies without a broad range of playbooks may need to identify key stakeholders, IT systems and networks, and establish their response, containment and recovery processes during an incident, potentially delaying the response and increasing the severity of the incident.

Testing or exercising Cyber Incident Response Plans

The NSW Cyber Security Policy requires that agencies exercise their cyber incident response plan at least every year. Performing a cyber incident response exercise increases stakeholder familiarity with the plan, and validates that the plan will operate. It also gives an opportunity to identify gaps or deficiencies in the plan which can be remediated.

Testing of Cyber Incident Response Plans is key to identifying improvement areas

Testing or activation of the Cyber Incident Response Plan varied across the 21 agencies during 2022–23.

Tabletop testing is where key personnel meet to discuss and talk through a scenario and test plan details. Functional testing for the sampled clients included interactive exercises on a simulated IT environment with investigation of data, analysis and output of communications.

The two agencies that did not exercise or test their cyber incident response plans advised they were newly formed or had a new team. Both agencies intend to test their plan by 2024.

We noted 23 agencies that tested or activated their plans had identified potential improvements, and had documented their learnings from the exercises. Two of these agencies identified significant gaps:

• One of the tabletop test exercises had major failings in responsibility definition, protocols for forensic engagement and had not defined restoration timeframes. This exercise involved two participating agencies.
• The other agency had significant failings when testing their Cyber Incident Response Plan. Their test noted an inadequate plan, where the team deferred to draft or ad hoc processes. This resulted in confusion and several decision stalemates. This agency revised and updated their plan after the test.

No whole-of-government exercise was performed in 2022–23

Our 2023 report on Cyber Security NSW: governance, roles, and responsibilities reported that:

The foundations of Cyber Security NSW stem from the appointment of the Government Chief Information Security Officer in March 2017, which served the same high-level purpose of supporting government online service delivery. This role had four high-level ‘pillars’ to guide activity:

• coordinating the annual cyber security exercise program
• implementing the NSW Cyber Security Policy
• expanding the cyber security intelligence capability of the State
• cultural uplift and awareness raising.

The first pillar was the conduct of an annual cyber security exercise. The last whole-of-government exercise was conducted in two parts, in April and September 2021.

CSNSW advise that no exercise was performed due to the caretaker period and changes to government, and reviews of the State Emergency Management Plan and the State Emergency Sub Plan.

For policies to be effective they should be implemented as prescribed for good governance.

Monitoring systems to identify cyber incidents

Agencies use monitoring systems to detect cyber security issues. These monitoring systems may monitor events, threats and vulnerabilities across IT systems, networks and users.

The NSW Cyber Security Policy requires that agencies ensure that ICT systems and assets are monitored to identify cyber security events and verify the effectiveness of protective measures. There is no specific direction or requirement on what monitoring should be in place.

Without effective monitoring systems, agencies are at greater risk of not identifying all cyber incidents, and maybe unable to respond adequately to minimise the impact of cyber incidents.

Observed cyber security event monitoring systems

Below is a flowchart of the typical monitoring systems we have observed in use by some agencies and what their purpose is. It shows the flow of different types of data collected across the IT systems, how they work together and the information and analysis that cyber security teams may obtain from their cyber security monitoring systems.

System monitoring for cyber incidents is varied across agencies

All 25 agencies have automated monitoring systems deployed to detect cyber security events. Agencies use multiple systems to monitor and evaluate these security events.

The scope of monitoring systems in place varies:

• some agencies cover their email account usage, server activity and network traffic with one suite of monitoring tools
• other agencies monitor all servers, workstations and mobile devices using multiple tools.

Agencies have increased the types of activities being monitored, and the number of systems being monitored during the year.

There is a varied capability to identify, triage and follow up incidents. Automation is being used to identify cyber security events. Events are being logged in industry standard systems, usually with artificial intelligence to feed into manual analysis, and interfaced incident escalation from externally managed security providers where relevant. One agency has automated their triaging for approved and standard cyber security events, which closes low priority incidents. Agencies retain internal security operations to analyse and triage moderate and high-risk incidents, sometimes in combination with their managed security service providers (MSSP).

The varied range in agencies’ monitoring capability should reflect different risks, systems, and information held by individual agencies.

Risk

Agencies should continue to expand the monitoring systems and type of activities being monitored.

Integration and performance issues with service providers can hinder effective cyber incident detection and response

The ability to build cyber security capability has been limited by a shortage of expertise that affects the cyber security industry, in both public and private sectors. Agencies utilise different resourcing models to enable this capability, and all agencies have internal security functions, with some supported by external providers.

Seventy-two per cent of agencies use managed security service providers (MSSP) to supplement their internal security operations teams. Integration between internal security operations and MSSPs varies, with some having interfaced incident management and some manually logging significant MSSP incidents into their internal systems. One agency assessed that their needs could be better achieved by establishing an internal function to replace a MSSP, highlighting the challenges that agencies can face in establishing an effective resourcing model.

Integration and performance issues can reduce the ability of agencies to identify, contain and respond to cyber security incidents in a timely and appropriate manner.

Risk

Agencies should ensure they have the appropriate level of resources and capability, supported by robust and reliable processes across internal and external teams.

Three agencies have only recently implemented monitoring systems on key operational systems

NSW government agencies provide a number of essential services for NSW citizens, many of which depend on IT systems which were designed before cyber security became a significant concern or are not compatible with industry standard monitoring tools.

We noted three agencies only recently established cyber security monitoring on IT systems for their main operations even though those IT systems have been in place for several years:

• One agency only established their cyber security operations centre for their operational systems in early 2023. The delay was due to contractual gaps identified between the agency and the service provider. This required 18 months to design and establish the security architecture, monitoring systems and resource the security operations team.
• The second agency only setup the monitoring systems in 2022 and was still implementing them across the operational systems. Delays were caused by the need to update the security architecture and shift IT systems to current industry standard platforms.
• The third agency is still establishing monitoring systems to cover their key operational system.

Failure to adequately monitor these operational systems for cyber incidents could leave these IT systems vulnerable to attacks and outages. This could severely hinder or interrupt business operations or the provision of essential services.

Agencies should focus resources on supporting cyber security coverage on operational systems despite the complexities of dated systems.

Identifying incidents and activating the Cyber Incident Response Plans

The NSW Cyber Security Policy defines a cyber incident as:

Criteria has been provided to classify incidents, and this has been adopted by all of the agencies in scope for this report. While there is some subjectivity in applying the criteria, examples are also provided to assist agencies correctly classify incidents.

Insufficient records kept to support incident classifications at six agencies

Twenty-four per cent of agencies have not kept records to show how they have determined classifications for potential cyber incidents. These agencies had detected events through their monitoring tools, which appeared to match the examples of cyber incidents in the classification criteria. From the records available it was not possible to determine why these had not been regarded as incidents. Examples identified included malware found to be spreading in an agency's IT environment, and a case of ransomware activated on an employee computer. Since these were not classified as incidents, the cyber incident response plans were not activated or followed.

One agency failed to identify any cyber incidents during the year despite having a well resourced cyber security function and extensive monitoring tools deployed. Failing to correctly identify a cyber incident increases the risk of under reporting cyber incidents and could limits the opportunity to respond appropriately to minimise the impact of those incidents.

There is a varied capability for agencies to follow their incident management plans for user identified cyber security events

Sixteen per cent of agencies had not followed their cyber incident response plans when analysing and responding to user identified cyber security events. User identified security events are incidents that are identified manually by personnel and raised as cyber security event.

Issues identified included:

• an incorrect low-risk rating on a compromised user account
• no root cause analysis for a compromised user account
• inadequate investigation and documentation of phishing incidents before resolving and closing tickets
• an agency did not close the incident tickets for four of the five sampled cyber security events, although there was timely resolution and remediation of the event
• a ransomware incident that was closed without investigation.

Agencies not following the cyber incident response plans may expose systems and data to cyber threats without appropriate analysis. This could result in unknown breaches and the unnecessary spread of cyber threats and attacks within the agencies’ IT environment.

Agencies need to ensure cyber security events are identified, analysed and have appropriate responses.

Our review of agencies' internal audit functions noted the following:

• all reported to the audit and risk committee with many also reporting to the agency's chief executive/accountable authority
• all operated under an internal audit charter. With one exception, charters are required to be reviewed at least annually as per TPP 20-08
• all had an internal audit plan that was endorsed by the audit and risk committee and approved by the accountable authority
• all had current internal audit plans in place
• internal audits are selected with consideration of the corporate/enterprise risks
• 28% of agencies have not had an external assessment performed on their internal audit function.

As required by TPP 20-08, agencies should ensure an external assessment of the internal audit function is conducted by a qualified, independent assessor selected in consultation with the audit and risk committee at least once every five years.

Audit and risk committees

Not all audit and risk committees (ARCs) complied with the requirements of Treasury policy TPP 20-08

All agencies operate ARCs as required under TPP 20-08. The policy defines an ARC as a committee established in accordance with the policy, to monitor, review and provide advice and guidance about the agency's governance processes, risk management and internal control frameworks and external accountability obligations.

Our review noted:

• 3 ARCs performed a self-assessment of their performance against the ARC charter only once every three years, instead of annually as required under TPP 20-08
• 5 ARCs had not provided formal reporting to the accountable authority in the last 12 months as required under TPP 20-08
• all were led by independent chairs appointed through the NSW Prequalification Scheme
• all were comprised of between three to five independent members, and were generally selected from the NSW Prequalification Scheme as required under TPP 20-08, with one exception
• all members had completed a declaration of interests
• all operated under an ARC charter. However, two agencies' charters were not reviewed in the last 12 months as required under TPP 20-08.

As required under the TPP 20-08, ARCs should ensure they periodically review their practices against the ARC charter and also ensure the charter aligns with Treasury policy.

For three agencies (Sydney Trains, NSW Trains and Fire and Rescue NSW), overtime expenses represented over ten per cent of their total salaries and wages in 2023. The agencies advised these were generally driven by unplanned staff shortages at the operational level.

Ten agencies had at least one employee working overtime hours in excess of 50% of their standard hours

In 2023, the most overtime hours paid to an employee was 2,156 hours, which was 109% more than their standard hours. With overtime and standard hours combined, that employee may have worked the equivalent of 79 hours a week on average for a whole year. However, some awards and employment contracts provide for additional overtime hours be recorded over and above those actually worked, for example for the hour immediately preceding and following the overtime hours worked.

The table below lists the top five agencies with their top three employees with the highest number of recorded overtime hours in the year ended 30 June 2023.

Most of the award conditions for overtime payment allow for overtime hours worked to be paid at time-and-a-half or double-time.

The employer agencies noted in the table above advised that the operational reasons for their employees’ high levels of overtime were due to resourcing constraints, severe staff shortages, unfilled rosters, and increased activity demand due to a number of projects underway.

Of these five agencies, three do not have a specific policy on overtime management and two of the three also do not monitor overtime hours at an executive level.

Staff consistently working high hours of overtime may be at greater risk of poor mental and physical health. They may be more likely to suffer burn-out, stress related and other health conditions, and have an increased risk of occupational injury. These risks should be considered and managed through each agency's WHS policy framework and workforce strategy.

WHS management

Framework and structure

Five agencies have outdated WHS policies, which do not cover changes to WHS regulations

All agencies have a WHS policy that is aligned with WHS legislation: the Work Health and Safety Act 2011 (WHS Act) and Work Health and Safety Regulation 2017 (WHS Regulation). However, five agencies' WHS policies are outdated as they have not incorporated updates to the WHS Regulation on managing psychosocial risks which were first introduced in NSW on 1 October 2022.

Four agencies also do not have psychosocial hazards in their WHS procedures.

All agencies' WHS policies:

• are generally aligned with the codes of practice from SafeWork NSW
• clearly allocate roles and responsibilities in accordance with the requirements of the WHS legislation
• extend responsibilities, as appropriate, to visitors and contractors.

Agencies have established appropriate WHS committees

WHS committees, or health and safety committees, allow organisations to work together with workers on health and safety matters. The functions of the WHS committee are to facilitate cooperation in developing and carrying out measures to improve the safety of workers, and help develop health and safety standards, rules and procedures.

All agencies except one have established a WHS committee, which is mandatory if requested by a health and safety representative in the organisation, or by five or more workers. The one agency without a WHS committee advised that it has not been requested to form a committee.

The compositions of other agencies’ WHS committees are in accordance with section 76 of the WHS Act, which requires at least half of the members to be nominated by workers.

Risk assessment and reporting

All agencies except one have included WHS risks in their corporate or enterprise risk registers. The one agency is renewing its risk register and framework to be implemented in late 2023, which is expected to include WHS risks. The risk ratings range from moderate to high. Eighty-eight per cent of agencies maintain a separate WHS risk register which contain more detailed, operational level risks. Of these, one agency does not have psychosocial risks in its WHS risk register.

Forty-five per cent of agencies with separate WHS risk registers have included psychosocial risks in their top three risks. These agencies tend to have more administrative operations than those agencies providing 'front line' services involving physical labour and use of heavy machinery and equipment.

Agencies assess WHS risks and hazards through a variety of methods, including:

• hazard reporting by workers
• workplace inspections
• consultation in various team meetings and WHS committees
• regular risk assessment processes, including review of incident reports
• investigations or audits.

However, the processes at eight per cent of agencies do not include assessment for psychosocial hazards.

Over 20% of agencies do not regularly report WHS matters to those charged with governance

Twenty-four per cent of agencies do not regularly report WHS matters to the board (or equivalent), and 20% do not report to the audit and risk committee. Twelve per cent of agencies report to neither the board nor the audit and risk committee. Whilst these agencies have reporting mechanisms to separate executive or management teams, the lack of oversight by those charged with governance may increase the risk of inadequate response to risks and/or incidents.

Officers, including those charged with governance, have duties of care under the WHS Act and it is important that they receive regular reporting to understand and be able to discharge their legal obligations for ensuring safe workplaces.

All agencies have reported notifiable incidents, as defined in the WHS Act, to SafeWork NSW, if any occurred during the year ended 30 June 2023. A notifiable incident is a death of a person, serious injury or illness of a person, or a dangerous incident. All agencies except two also communicated those reports of notifiable incidents to those charged with governance.

Three agencies did not demonstrate evidence that they reviewed and responded to complaints or whistle-blower reports regarding WHS in the year ended 30 June 2023.

WHS activities

Staff are required to complete WHS checklists for their home office at only 68% of agencies

Although all agencies have implemented flexible working arrangements, and the proportion of employees who regularly work from home ranges from five per cent to 100%, only 68% of agencies require employees to complete an annual WHS checklist on the safety of their home office where those employees do work from home. All agencies had completed WHS checklists for the agencies' work sites.

WHS training could be improved

Thirty-two per cent of agencies do not provide annual WHS refresher training for all employees. Of those that conduct mandatory WHS refresher training, the training completion rates range from 66% to 100%. The SafeWork NSW code of practice 'How to manage work health and safety risks' recommends providing up-to-date training to maintain competencies and ensure WHS control measures remain effective.

Twelve per cent of agencies do not carry out WHS induction training for contractors and visitors. Contractors and visitors are included in the scope of the WHS Act, as employers have a primary duty of care for the health and safety of all people in the workplace. In many circumstances, it is useful for contractors and some types of visitors (excluding customers, delivery people, etc) to receive a WHS induction the first time they are on-site.

Mental health

Under WHS laws, employers are responsible for managing risks to employees' mental health at work. Psychosocial hazards can harm mental health.

The most common psychosocial hazards that agencies have identified as relevant to their workers are listed in the chart below.

All except two agencies have reported psychosocial incidents during 2023, ranging from one to over 27,000 incidents. This is a broader category than psychological injury claims under WHS insurance, however 36% of agencies have not reported additional incidents compared to their number of psychological injury claims. This may indicate a lack of adequate reporting mechanisms for psychosocial incidents.

Psychological injury claims have grown in recent years and were the focus of a Parliamentary Standing Committee report, 2023 Review of Workers Compensation Scheme. The report made a number of recommendations for Insurance and Care NSW, the State Insurance Regulatory Authority and SafeWork NSW in relation to understanding the drivers of psychological claims and developing programs to identify, manage and respond to psychosocial hazards.

All agencies have conducted training during the 2023 year on bullying and harassment, as well as mental health first aid. Three agencies have not conducted training on stress management/burn-out risk, even though it is one of the top psychosocial hazards identified across the agencies (role overload).

One measure of identifying potential staff burn-out is whether employees are taking annual leave or long service leave. Taking regular periods of leave enables employees to maintain their physical and mental wellbeing and positively impacts on productivity in the workplace.

All agencies monitor excessive employee leave balances (usually those with over 30 days of annual leave, in accordance with Treasury Circular TC 16-03 'Managing Accrued Recreation Leave Balances') at least on a quarterly basis.

Employees at greater risk of burn-out are those who have not taken any annual leave or long service leave in the twelve months to 30 June 2023. The number of such employees range from nil to over 36,000. As a percentage of total staff (by headcount), this ranges up to 84.9%.

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.