Reports
Actions for Detecting and responding to cyber security incidents
Detecting and responding to cyber security incidents
A report released today by the Auditor-General for New South Wales, Margaret Crawford, found there is no whole-of-government capability to detect and respond effectively to cyber security incidents. There is very limited sharing of information on incidents amongst agencies, and some agencies have poor detection and response practices and procedures.
The NSW Government relies on digital technology to deliver services, organise and store information, manage business processes, and control critical infrastructure. The increasing global interconnectivity between computer networks has dramatically increased the risk of cyber security incidents. Such incidents can harm government service delivery and may include the theft of information, denial of access to critical technology, or even the hijacking of systems for profit or malicious intent.
This audit examined cyber security incident detection and response in the NSW public sector. It focused on the role of the Department of Finance, Services and Innovation (DFSI), which oversees the Information Security Community of Practice, the Information Security Event Reporting Protocol, and the Digital Information Security Policy (the Policy).
The audit also examined ten case study agencies to develop a perspective on how they detect and respond to incidents. We chose agencies that are collectively responsible for personal data, critical infrastructure, financial information and intellectual property.
Some of our case study agencies had strong processes for detection and response to cyber security incidents but others had a low capability to detect and respond in a timely way.
Most agencies have access to an automated tool for analysing logs generated by their IT systems. However, coverage of these tools varies. Some agencies do not have an automated tool and only review logs periodically or on an ad hoc basis, meaning they are less likely to detect incidents.
Few agencies have contractual arrangements in place for IT service providers to report incidents to them. If a service provider elects to not report an incident, it will delay the agency’s response and may result in increased damage.
Most case study agencies had procedures for responding to incidents, although some lack guidance on who to notify and when. Some agencies do not have response procedures, limiting their ability to minimise the business damage that may flow from a cyber security incident. Few agencies could demonstrate that they have trained their staff on either incident detection or response procedures and could provide little information on the role requirements and responsibilities of their staff in doing so.
Most agencies’ incident procedures contain limited information on how to report an incident, who to report it to, when this should occur and what information should be provided. None of our case study agencies’ procedures mentioned reporting to DFSI, highlighting that even though reporting is mandatory for most agencies their procedures do not require it.
Case study agencies provided little evidence to indicate they are learning from incidents, meaning that opportunities to better manage future incidents may be lost.
Recommendations
The Department of Finance, Services and Innovation should:
- assist agencies by providing:
- better practice guidelines for incident detection, response and reporting to help agencies develop their own practices and procedures
- training and awareness programs, including tailored programs for a range of audiences such as cyber professionals, finance staff, and audit and risk committees
- role requirements and responsibilities for cyber security across government, relevant to size and complexity of each agency
- a support model for agencies that have limited detection and response capabilities
- revise the Digital Information Security Policy and Information Security Event Reporting Protocol by
- clarifying what security incidents must be reported to DFSI and when
- extending mandatory reporting requirements to those NSW Government agencies not currently covered by the policy and protocol, including State owned corporations.
DFSI lacks a clear mandate or capability to provide effective detection and response support to agencies, and there is limited sharing of information on cyber security incidents.
DFSI does not currently have a clear mandate and the necessary resources and systems to detect, receive, share and respond to cyber security incidents across the NSW public sector. It does not have a clear mandate to assess whether agencies have an acceptable detection and response capability. It is aware of deficiencies in agencies and across whole‑of‑government, and has begun to conduct research into this capability.
Intelligence gathering across the public sector is also limited, meaning agencies may not respond to threats in a timely manner. DFSI has not allocated resources for gathering of threat intelligence and communicating it across government, although it has begun to build this capacity.
Incident reporting to DFSI is mandatory for most agencies, however, most of our case study agencies do not report incidents to DFSI, reducing the likelihood of containing an incident if it spreads to other agencies. When incidents have been reported, DFSI has not provided dedicated resources to assess them and coordinate the public sector’s response. There are currently no formal requirements for DFSI to respond to incidents and no guidance on what it is meant to do if an incident is reported. The lack of central coordination in incident response risks delays and increased damage to multiple agencies.
DFSI's reporting protocol is weak and does not clearly specify what agencies should report and when. This makes agencies less likely to report incidents. The lack of a standard format for incident reporting and a consistent method for assessing an incident, including the level of risk associated with it, also make it difficult for DFSI to determine an appropriate response.
There are limited avenues for sharing information amongst agencies after incidents have been resolved, meaning the public sector may be losing valuable opportunities to improve its protection and response.
Recommendations
The Department of Finance, Services and Innovation should:
- develop whole‑of‑government procedure, protocol and supporting systems to effectively share reported threats and respond to cyber security incidents impacting multiple agencies, including follow-up and communicating lessons learnt
- develop a means by which agencies can report incidents in a more effective manner, such as a secure online template, that allows for early warnings and standardised details of incidents and remedial advice
- enhance NSW public sector threat intelligence gathering and sharing including formal links with Australian Government security agencies, other states and the private sector
- direct agencies to include standard clauses in contracts requiring IT service providers report all cyber security incidents within a reasonable timeframe
- provide assurance that agencies have appropriate reporting procedures and report to DFSI as required by the policy and protocol by:
- extending the attestation requirement within the DISP to cover procedures and reporting
- reviewing a sample of agencies' incident reporting procedures each year.
Appendix one - Response from agency
Appendix two - ISMS maturity model
Appendix three - About the audit
Appendix four - Performance auditing
Parliamentary reference - Report number #297 - released 2 March 2018
Actions for Managing demand for ambulance services 2017
Managing demand for ambulance services 2017
NSW Ambulance has introduced several initiatives over the past decade to better manage the number of unnecessary ambulance responses and transports to hospital emergency departments. However, there is no overall strategy to guide the development of these initiatives nor do NSW Ambulance's data systems properly monitor their impact. As a result, the Audit Office was unable to assess whether NSW Ambulance's approach to managing demand is improving the efficiency of ambulance services.
NSW Ambulance uses a telephone referral system to manage triple zero calls from people with medical issues that do not require an ambulance. This has the potential to achieve efficiency improvements but there are weaknesses in NSW Ambulance's use and monitoring of this system. Paramedics are now able to make decisions about whether patients need transport to a hospital emergency department. NSW Ambulance does not routinely measure or monitor the decisions paramedics make, so it does not know whether these decisions are improving efficiency. Extended Care Paramedics who have additional skills in diagnosing and treating patients with less urgent medical issues were introduced in 2007. NSW Ambulance analysis indicates that these paramedics have the potential to improve efficiency, but have not been used as effectively as possible.
Our 2013 audit of NSW Ambulance found that accurate monitoring of activity and performance was not being conducted. More than four years later, this remains the case.
NSW Ambulance has recognised the need to change the way it manages demand and has developed initiatives that have the potential to improve efficiency. However, there are significant weaknesses in the strategy for and implementation of its demand management initiatives.
NSW Ambulance has identified the goal of moving from an emergency transport provider to a mobile health service and developed several initiatives to support this. Its demand management initiatives have the potential to contribute to the broader policy directions for the health system in New South Wales. However, there is no clear overall strategy guiding these initiatives and their implementation has been poor.
NSW Ambulance's reasons for changing its approach to demand management have not been communicated proactively to the community. Demand management initiatives that have been operating for over a decade still do not have clear performance measures or targets. Project management of new initiatives has been inadequate, with insufficient organisational resources to oversee them and inadequate engagement with other healthcare providers.
NSW Ambulance uses an in-house Vocational Education and Training course to recruit some paramedics, as well as recruiting paramedics who have completed a university degree. No other Australian ambulance services continue to provide their own Vocational Education and Training qualifications. Paramedics will need more support in several key areas to be able to fulfil their expanded roles in providing a mobile health service. Performance and development systems for paramedics are not used effectively. Up to date technology would help paramedics make better decisions and improve NSW Ambulance's ability to monitor demand management activity.
There are gaps in NSW Ambulance's oversight of the risks of some of the initiatives it has introduced, particularly its lack of information on the outcomes for patients who are not transported to hospital. Weaknesses in the way NSW Ambulance uses its data limit its ability to properly assess the risks of the demand management initiatives it has introduced.
Parliamentary reference - Report number #295 - released 13 December 2017
Actions for Passenger Rail Punctuality
Passenger Rail Punctuality
Rail agencies are well placed to manage the forecast increase in passengers up to 2019, including joining the Sydney Metro Northwest to the network at Chatswood. Their plans and strategies are evidence-based, and mechanisms to assure effective implementation are sound.
Appendix one - Response from the agencies
Appendix two - Response from Audit Office
Appendix three - About the audit
Appendix four - Accuracy of punctuality measurement
Appendix five - Train and customer punctuality
Parliamentary reference - Report number #281 - released 11 April 2017
Actions for CBD and South East Light Rail Project
CBD and South East Light Rail Project
Transport for NSW did not effectively plan and procure the CBD and South East Light Rail (CSELR) project to achieve best value for money according to a report released today by NSW Auditor-General, Margaret Crawford.
Transport for NSW is on track to deliver the project, but it will come at a higher cost with lower benefits than in the approved business case.
Parliamentary reference - Report number #278 - released 30 November 2016
Actions for Implementation of the NSW Government’s program evaluation initiative
Implementation of the NSW Government’s program evaluation initiative
The NSW Government’s ‘program evaluation initiative’, introduced to assess whether service delivery programs achieve expected outcomes and value for money, is largely ineffective according to a report released today by NSW Auditor-General, Margaret Crawford.
Government services, in areas such as public order and safety, health and education, are delivered by agencies through a variety of programs. In 2016–17, the NSW Government estimates that it will spend over $73 billion on programs to deliver services.
Parliamentary reference - Report number #277 - released 3 November 2016
Actions for Red tape reduction
Red tape reduction
Overall, NSW Government initiatives and processes to prevent and reduce red tape were not effective, according to a report released today by the NSW Auditor-General.
In 2015, the Government reported that its red tape reduction initiatives, implemented between 2011 and 2015, had resulted in $896 million in savings. While these initiatives resulted in some savings, the total value of savings is unknown because estimates for some initiatives were based on unverified assumptions, cost transfers or unrealised projections.
Parliamentary reference - Report number #272 - released 25 August 2016
Actions for Security of critical IT infrastructure
Security of critical IT infrastructure
Roads and Maritime Services and Transport for NSW have deployed many controls to protect traffic management systems but these would have been only partially effective in detecting and preventing incidents and unlikely to support a timely response. There was a potential for unauthorised access to sensitive information and systems that could have disrupted traffic.
Until Roads and Maritime Services’ IT disaster recovery site is fully commissioned, a disaster involving the main data centre is likely to lead to higher congestion in the short-term as traffic controllers would be operating on a regional basis without the benefit of the Traffic Management Centre.
Parliamentary reference - Report number #248 - released 21 January 2015
Actions for Managing IT Services Contracts
Managing IT Services Contracts
Neither agency (NSW Ministry of Health and NSW Police Force) demonstrated that they continued to get value for money over the life of these long term contracts or that they had effectively managed all critical elements of the three contracts we reviewed post award. This is because both agencies treated contract extensions or renewals as simply continuing previous contractual arrangements, rather than as establishing a new contract and financial commitment. Consequently, there was not a robust analysis of the continuing need for the mix and quantity of services being provided or an assessment of value for money in terms of the prices being paid.
Parliamentary reference - Report number #220 - released 1 February 2012
Actions for Government Licensing Project
Government Licensing Project
The Government Licensing Project (GLP) is standardising and simplifying processes of agencies which issue licences. However, it is currently running over the original anticipated completion date, exceeding the original budget and expected to produce savings less than originally planned.
Parliamentary reference - Report number #192 - released 7 October 2009
Actions for Signal failures on the metropolitan rail network
Signal failures on the metropolitan rail network
Between 2004 and 2006, the number of signalling failures, signalling downtime and the number of trains delayed as a result of signal failures all fell. RailCorp’s on-time running performance improved over the same period. The fall in failures is a clear indication of improved performance. Changes in the definition of on-time and to the timetable during 2005 and 2006 however make it difficult to determine whether improvements in response downtime and signalling delays are due to a true performance improvement. To build upon this strong base, RailCorp needs to determine with more confidence the number and duration of signalling failures the network can tolerate without impacting on service levels.
Parliamentary reference - Report number #170 - released 15 August 2007