Reports
Detecting and responding to cyber security incidents
A report released today by the Auditor-General for New South Wales, Margaret Crawford, found there is no whole-of-government capability to detect and respond effectively to cyber security incidents. There is very limited sharing of information on incidents amongst agencies, and some agencies have poor detection and response practices and procedures.
The NSW Government relies on digital technology to deliver services, organise and store information, manage business processes, and control critical infrastructure. The increasing global interconnectivity between computer networks has dramatically increased the risk of cyber security incidents. Such incidents can harm government service delivery and may include the theft of information, denial of access to critical technology, or even the hijacking of systems for profit or malicious intent.
This audit examined cyber security incident detection and response in the NSW public sector. It focused on the role of the Department of Finance, Services and Innovation (DFSI), which oversees the Information Security Community of Practice, the Information Security Event Reporting Protocol, and the Digital Information Security Policy (the Policy).
The audit also examined ten case study agencies to develop a perspective on how they detect and respond to incidents. We chose agencies that are collectively responsible for personal data, critical infrastructure, financial information and intellectual property.
Some of our case study agencies had strong processes for detection and response to cyber security incidents but others had a low capability to detect and respond in a timely way.
Most agencies have access to an automated tool for analysing logs generated by their IT systems. However, coverage of these tools varies. Some agencies do not have an automated tool and only review logs periodically or on an ad hoc basis, meaning they are less likely to detect incidents.
Few agencies have contractual arrangements in place for IT service providers to report incidents to them. If a service provider elects to not report an incident, it will delay the agency’s response and may result in increased damage.
Most case study agencies had procedures for responding to incidents, although some lack guidance on who to notify and when. Some agencies do not have response procedures, limiting their ability to minimise the business damage that may flow from a cyber security incident. Few agencies could demonstrate that they have trained their staff on either incident detection or response procedures and could provide little information on the role requirements and responsibilities of their staff in doing so.
Most agencies’ incident procedures contain limited information on how to report an incident, who to report it to, when this should occur and what information should be provided. None of our case study agencies’ procedures mentioned reporting to DFSI, highlighting that even though reporting is mandatory for most agencies their procedures do not require it.
Case study agencies provided little evidence to indicate they are learning from incidents, meaning that opportunities to better manage future incidents may be lost.
Recommendations
The Department of Finance, Services and Innovation should:
- assist agencies by providing:
- better practice guidelines for incident detection, response and reporting to help agencies develop their own practices and procedures
- training and awareness programs, including tailored programs for a range of audiences such as cyber professionals, finance staff, and audit and risk committees
- role requirements and responsibilities for cyber security across government, relevant to size and complexity of each agency
- a support model for agencies that have limited detection and response capabilities
- revise the Digital Information Security Policy and Information Security Event Reporting Protocol by
- clarifying what security incidents must be reported to DFSI and when
- extending mandatory reporting requirements to those NSW Government agencies not currently covered by the policy and protocol, including State owned corporations.
DFSI lacks a clear mandate or capability to provide effective detection and response support to agencies, and there is limited sharing of information on cyber security incidents.
DFSI does not currently have a clear mandate and the necessary resources and systems to detect, receive, share and respond to cyber security incidents across the NSW public sector. It does not have a clear mandate to assess whether agencies have an acceptable detection and response capability. It is aware of deficiencies in agencies and across whole‑of‑government, and has begun to conduct research into this capability.
Intelligence gathering across the public sector is also limited, meaning agencies may not respond to threats in a timely manner. DFSI has not allocated resources for gathering of threat intelligence and communicating it across government, although it has begun to build this capacity.
Incident reporting to DFSI is mandatory for most agencies, however, most of our case study agencies do not report incidents to DFSI, reducing the likelihood of containing an incident if it spreads to other agencies. When incidents have been reported, DFSI has not provided dedicated resources to assess them and coordinate the public sector’s response. There are currently no formal requirements for DFSI to respond to incidents and no guidance on what it is meant to do if an incident is reported. The lack of central coordination in incident response risks delays and increased damage to multiple agencies.
DFSI's reporting protocol is weak and does not clearly specify what agencies should report and when. This makes agencies less likely to report incidents. The lack of a standard format for incident reporting and a consistent method for assessing an incident, including the level of risk associated with it, also make it difficult for DFSI to determine an appropriate response.
There are limited avenues for sharing information amongst agencies after incidents have been resolved, meaning the public sector may be losing valuable opportunities to improve its protection and response.
Recommendations
The Department of Finance, Services and Innovation should:
- develop whole‑of‑government procedure, protocol and supporting systems to effectively share reported threats and respond to cyber security incidents impacting multiple agencies, including follow-up and communicating lessons learnt
- develop a means by which agencies can report incidents in a more effective manner, such as a secure online template, that allows for early warnings and standardised details of incidents and remedial advice
- enhance NSW public sector threat intelligence gathering and sharing including formal links with Australian Government security agencies, other states and the private sector
- direct agencies to include standard clauses in contracts requiring IT service providers report all cyber security incidents within a reasonable timeframe
- provide assurance that agencies have appropriate reporting procedures and report to DFSI as required by the policy and protocol by:
- extending the attestation requirement within the DISP to cover procedures and reporting
- reviewing a sample of agencies' incident reporting procedures each year.
Appendix one - Response from agency
Appendix two - ISMS maturity model
Appendix three - About the audit
Appendix four - Performance auditing
Parliamentary reference - Report number #297 - released 2 March 2018
Council reporting on service delivery
New South Wales local government councils’ could do more to demonstrate how well they are delivering services in their reports to the public, according to a report released today by the Auditor-General for New South Wales, Margaret Crawford. Many councils report activity, but do not report on outcomes in a way that would help their communities assess how well they are performing. Most councils also did not report on the cost of services, making it difficult for communities to see how efficiently they are being delivered. And councils are not consistently publishing targets to demonstrate what they are striving for.
I am pleased to present my first local government performance audit pursuant to section 421D of the Local Government Act 1993.
My new mandate supports the Parliament’s objectives to:
- strengthen governance and financial oversight in the local government sector
- improve financial management, fiscal responsibility and public accountability for how councils use citizens’ funds.
Performance audits aim to help councils improve their efficiency and effectiveness. They will also provide communities with independent information on the performance of their councils.
For this inaugural audit in the local government sector, I have chosen to examine how well councils report to their constituents about the services they provide.
In this way, the report will enable benchmarking and provide improvement guidance to all councils across New South Wales.
Specific recommendations to drive improved reporting are directed to the Office of Local Government, which is the regulator of councils in New South Wales.
Councils provide a range of services which have a direct impact on the amenity, safety and health of their communities. These services need to meet the needs and expectations of their communities, as well as relevant regulatory requirements set by state and federal governments. Councils have a high level of autonomy in decisions about how and to whom they provide services, so it is important that local communities have access to information about how well they are being delivered and meeting community needs. Ultimately councils should aim to ensure that reporting performance is subject to quality controls designed to provide independent assurance.
Councils report extensively on the things they have done, but minimally on the outcomes from that effort, efficiency and performance over time.
Councils could improve reporting on service delivery by more clearly relating the resources needed with the outputs produced, and by reporting against clear targets. This would enable communities to understand how efficiently services are being delivered and how well councils are tracking against their goals and priorities.
Across the sector, a greater focus is also needed on reporting performance over time so that communities can track changes in performance and councils can demonstrate whether they are on target to meet any agreed timeframes for service improvements.
The degree to which councils demonstrate good practice in reporting on service delivery varies greatly between councils. Metropolitan and regional town and city councils generally produce better quality reporting than rural councils. This variation indicates that, at least in the near-term, OLG's efforts in building capability in reporting would be best directed toward rural councils.
Recommendation
By mid-2018, OLG should:
- assist rural councils to develop their reporting capability.
The Framework which councils are required to use to report on service delivery, is intended to drive good practice in reporting. Despite this, the Framework is silent on a number of aspects of reporting that should be considered fundamental to transparent reporting on service delivery. It does not provide guidance on reporting efficiency or cost effectiveness in service delivery and provides limited guidance on how annual reports link with other plans produced as part of the Framework. OLG's review of the Framework, currently underway, needs to address these issues.
Recommendation
By mid-2018, OLG should:
- issue additional guidance on good practice in council reporting, with specific information on:
- reporting on performance against targets
- reporting on performance against outcome
- assessing and reporting on efficiency and cost effectiveness
- reporting performance over time
- clearer integration of all reports and plans that are required by the Framework, particularly the role of End of Term Reporting
- defining reporting terms to encourage consistency.
The Framework is silent on inclusion of efficiency or cost effectiveness indicators in reports
The guidelines produced by OLG in 2013 to assist councils to implement their Framework requirements advise that performance measures should be included in all plans. However, the Framework does not specifically state that efficiency or cost effectiveness indicators should be included as part of this process. This has been identified as a weakness in the 2012 performance audit report and the Local Government Reform Panel review of reporting by councils on service delivery.
The Framework and supporting documents provide limited guidance on reporting
Councils' annual reports provide a consolidated summary of their efforts and achievements in service delivery and financial management. However, OLG provides limited guidance on:
- good practice in reporting to the community
- how the annual report links with other plans and reports required by the Framework.
Further, the Framework includes both Annual and End of Term Reports. However, End of Term reports are published prior to council elections and are mainly a consolidation of annual reports produced during a council’s term. The relationship between Annual reports and End of Term reports is not clear.
OLG is reviewing the Framework and guidance
OLG commenced work on reviewing of the Framework in 2013 but this was deferred with work re‑starting in 2017. The revised guidelines and manual were expected to be released late in 2017.
OLG should build on the Framework to improve guidance on reporting on service delivery, including in annual reports
The Framework provides limited guidance on how best to report on service delivery, including in annual reports. It is silent on inclusion of efficiency or cost effectiveness indicators in reporting, which are fundamental aspects of performance reporting. Councils we consulted would welcome more guidance from OLG on these aspects of reporting.
Our consultation with councils highlighted that many council staff would welcome a set of reporting principles that provide guidance to councils, without being prescriptive. This would allow councils to tailor their approach to the individual characteristics, needs and priorities of their local communities.
Consolidating what councils are required to report to state agencies would reduce the reporting burden and enable councils to better report on performance. Comparative performance indicators are also needed to provide councils and the public with a clear understanding of councils' performance relative to each other.
Recommendations
By mid-2018, OLG should:
- commence work to consolidate the information reported by individual councils to NSW Government agencies as part of their compliance requirements.
- progress work on the development of a Performance Measurement Framework, and associated performance indicators, that can be used by councils and the NSW Government in sector-wide performance reporting.
Streamlining the reporting burden would help councils improve reporting
The NSW Government does not have a central view of all local government reporting, planning and compliance obligations. A 2016 draft IPART ‘Review of reporting and compliance burdens on Local Government’ noted that councils provide a wide range of services under 67 different Acts, administered by 27 different NSW Government agencies. Consolidating and coordinating reporting requirements would assist with better reporting over time and comparative reporting. It would also provide an opportunity for NSW Government agencies to reduce the reporting burden on councils by identifying and removing duplication.
Enabling rural councils to perform tailored surveys of their communities may be more beneficial than a state-wide survey in defining outcome indicators
Some councils use community satisfaction survey data to develop outcome indicators for reporting. The results from these are used by councils to set service delivery targets and report on outcomes. This helps to drive service delivery in line with community expectations. While some regional councils do conduct satisfaction surveys, surveys are mainly used by metropolitan councils which generally have the resources needed to run them.
OLG and the Department of Premier and Cabinet have explored the potential to conduct state-wide resident satisfaction surveys with a view to establishing measures to improve service delivery. This work has drawn from a similar approach adopted in Victoria. Our consultation with stakeholders in Victoria indicated that the state level survey is not sufficiently detailed or specific enough to be used as a tool in setting targets that respond to local circumstances, expectations and priorities. Our analysis of reports and consultation with stakeholders suggest that better use of resident survey data in rural and regional areas may support improvements in performance reporting in these areas. Rural councils may benefit more from tailored surveys of groups of councils with similar challenges, priorities and circumstances than from a standard state-wide survey. These could potentially be achieved through regional cooperation between groups of similar councils or regional groups.
Comparative reporting indicators are needed to enable councils to respond to service delivery priorities of their communities
The Local Government Reform Panel in 2012 identified the need for ‘more consistent data collection and benchmarking to enable councils and the public to gain a clear understanding of how a council is performing relative to their peers’.
OLG commenced work in 2012 to build a new performance measurement Framework for councils which aimed to move away from compliance reporting. This work was also strongly influenced by the approach used in Victoria that requires councils to report on a set of 79 indicators which are reported on the Victorian 'Know your council' website. OLG’s work did not fully progress at the time and several other local government representative bodies have since commenced work to establish performance measurement frameworks. OLG advised us it has recently recommenced its work on this project.
Our consultation identified some desire amongst councils to be able to compare their performance to support improvement in the delivery of services. We also identified a level of frustration that more progress has not been made toward establishment of a set of indicators that councils can use to measure performance and drive improvement in service delivery.
Several councils we spoke with were concerned that the current approaches to comparative reporting did not adequately acknowledge that councils need to tailor their service types, level and mix to the needs of their community. Comparative reporting approaches tend to focus on output measures such as number of applications processed, library loans annually and opening hours for sporting facilities, rather than outcome measures. These approaches risk unjustified and adverse interpretations of performance where councils have made a decision based on community consultation, local priorities and available resources. To mitigate this, it is important to
- adopt a partnership approach to the development of indicators
- ensure indicators measure performance, not just level of activity
- compare performance between councils that are similar in terms of size and location.
It may be more feasible, at least in the short term, for OLG to support small groups of like councils to develop indicators suited to their situation.
Based on our consultations, key lessons from implementing a sector-wide performance indicator framework in Victoria included the benefits of:
- consolidation of the various compliance data currently being reported by councils to provide an initial platform for comparative performance reporting
- adopting a partnership approach to development of common indicators with groups of like councils.
Appendix one - Response from agency
Appendix two - Service delivery categorisation
Appendix three - Reporting targets and performance over time
Appendix four - Performance auditing
Appendix five - About the audit
Parliamentary reference - Report number #296 - released 1 February 2018
Volume Ten 2011 Focusing on Health
This report includes comments on financial audits of government agencies in the Health sector. In 2010-11, Ambulance Officers spent an extra 77,200 hours waiting at emergency departments for patients to transfer to hospital care. In 2010-11, only 66 per cent of patients were moved from the emergency department to an inpatient bed within eight hours of their arrival. This is significantly down on last year’s 73 per cent and well below the 80 per cent target.
Visiting medical officers and staff specialists
We found that hospitals are generally able to deploy their VMOs and staff specialists to be at the place and time required. However, a hospital’s ability to manage supply and demand at a local level is limited. This limitation will become more critical with the current national health reforms when public hospital funding will depend on their ability to set and meet activity targets and priorities. NSW Health cannot be sure that all payments made to VMOs are for agreed and delivered services. Across the hospitals visited we found limited checking of VMO claims for payment, limited quality information on staff specialist activities and limited hospital-level analysis of trends or inconsistencies in activities and treatments.
Parliamentary reference - Report number #219 - released 14 December 2011
Volume Nine 2011 focus on Education and Communities
The report includes comments on financial audits of government agencies in the Education and Communities sectors. The audits of the above entities’ financial statements for the year ended 30 June 2011 resulted in unmodified audit opinions within the Independent Auditor’s Reports. A key finding was that Treasury should consider issuing further guidance to arts and cultural bodies on collection valuation methodologies due to the significance of these assets to the State’s asset base.
Volume Eight 2011 Focus on Transport and Ports
The report includes comments on financial audits of government agencies in the Transport and Ports sectors. The audit of corporations’ financial statements for the year ended 30 June 2011 resulted in unmodified audit opinions within the Independent Auditor’s Reports. A key recommendation from the report is that Sydney Ports Corporation should continue working with other government authorities and industry stakeholders to improve the effectiveness of program initiatives for increasing container freight movements by rail. The Corporation should review the underlying causes hindering growth in the rail mode and develop and implement strategies to address the unfavourable trend.
Volume Seven 2011 focus on Law, Order and Emergency Services
The audits of these agencies’ financial statements for the year ended 30 June 2011 resulted in unmodified audit opinions within the Independent Auditor’s Reports. It is recommended that emergency services agencies continue to develop and implement comprehensive volunteer workforce management plans to ensure they have the right volunteer resources.
Volume Six 2011 focus on Environment, Water and Regional Infrastructure
The Environment Protection Authority’s expenditure for the financial year 2010/11 was $92 million - $76 million of this was for environment protection and regulation. The Office of Environment and Heritage and the Environment Protection Authority commenced 145 prosecutions for environmental offences and 106 were completed in the financial year 2010/11, down from the 134 prosecutions completed in 2009/10. Financial penalties for 2010/11 totalled $969,000 down from $1,403,000 in 2009/10. The average fine decreased from $10,468 in 2009/10 to $9,141 in 2010/11.
Volume Five 2011 focus on Superannuation, Compensation and Housing
The audits of the New South Wales Government controlled superannuation entities financial statements for the year ended 30 June 2011 resulted in unmodified audit opinions within the Independent Auditor’s Reports. Findings show that Treasury should review the structure and number of public sector superannuation funds and consider whether efficiencies and cost savings could be achieved through consolidation.
Responding to Domestic and Family Violence
Organisations generally work together to improve the safety of victims when there is an overt and serious crisis, particularly where children are involved. There are no standard ways for victims and perpetrators to access help that might prevent ongoing violence and address underlying issues. This is particularly problematic where there are repeat victims and perpetrators, many of whom have complex mental health, drug and alcohol problems and are difficult to work with. New South Wales has trialled a number of projects to improve the way that organisations work together to support vulnerable people in particular communities.
Parliamentary reference - Report number #218 - released 8 November 2011
