What the report is about

This audit assessed nine agencies’ compliance with the NSW Cyber Security Policy (CSP) including whether, during the year to 30 June 2020, the participating agencies:

• met their reporting obligations under the CSP
• reported accurate self-assessments of their level of maturity implementing the CSP’s requirements including the Australian Cyber Security Centre’s (ACSC) Essential 8.

What we found

Key elements to strengthen cyber security governance, controls and culture are not sufficiently robust and not consistently applied. The CSP is not achieving the objectives of improved cyber governance, controls and culture because:

• the CSP does not specify a minimum level for agencies to achieve in implementing the 'mandatory requirements' or the Essential 8
• the CSP does not require agencies to report their target levels, nor does it require risk acceptance decisions to be documented or formally endorsed
• each participating agency had implemented one or more of the mandatory requirements in an ad hoc or inconsistent basis
• none of the participating agencies had implemented all of the Essential 8 controls
• agencies tended to over-assess their cyber security maturity - all nine participating agencies were unable to support all of their self-assessments with evidence
• there is no monitoring of the adequacy or accuracy of agencies' self-assessments.

What we recommended

In this report, we repeat recommendations made in the 2019 and 2020 Central Agencies reports, that Cyber Security NSW and NSW Government agencies need to prioritise improvements to cyber security resilience as a matter of urgency.

Cyber Security NSW should:

• monitor and report compliance with the CSP
• require agencies to report the target and achieved levels of maturity
• require agencies to justify why it is appropriate to target a low level of maturity
• require the agency head to formally accept the residual risk
• challenge agencies' target maturity levels.

Agencies should resolve discrepancies between their reported level of maturity and the level they are able to support with evidence.

Separately, the agencies we audited requested that we not disclose our audit findings. We reluctantly agreed to anonymise our findings, even though they are more than 12 months old. We are of the view that transparency and accountability to the Parliament of New South Wales are part of the solution, not the problem.

The poor levels of agency cyber security maturity are a significant concern. Improvement requires leadership and resourcing.

This report assesses whether state government agencies are complying with the NSW Cyber Security Policy. The audit was based on the level of compliance reported at 30 June 2020.

Our audit identified non-compliance and significant weaknesses against the government’s policy.

Audited agencies have requested that we not report the findings of this audit to the Parliament of New South Wales, even though the findings are more than 12 months old, believing that the audit report would expose their weaknesses to threat actors.

I have reluctantly agreed to modify my report to anonymise agencies and their specific failings because the vulnerabilities identified have not yet been remedied. Time, leadership and prioritised action should have been sufficient for agencies to improve their cyber safeguards. I am of the view that transparency and accountability to the Parliament is part of the solution, not the problem.

The poor levels of cyber security maturity are a significant concern. Improvement requires dedicated leadership and resourcing. To comply with some elements of the government’s policy agencies will have to invest in technical uplift and some measures may take time to implement. However, other elements of the policy do not require any investment in technology. They simply require leadership and management commitment to improve cyber literacy and culture. And they require accountability and transparency. Transparent reporting of performance is a key means to improve performance.

Cyber security is increasingly a focus of governments around Australia. The Australian Cyber Security Centre (ACSC) is the Australian Government’s lead agency for cyber security and is part of the Australian Signals Directorate, a statutory authority within the Australian Government’s Defence portfolio. The ACSC has advised that government agencies at all levels, as well as individuals and other organisations were increasingly targeted over the 2021 financial year¹. The ACSC received over 67,500 cybercrime reports, a 13 per cent increase on the previous year. This equates to one reported cyber attack every eight minutes. They also noted that attacks by cyber criminals and state actors are becoming increasingly sophisticated and complex and that the attacks are increasingly likely to be categorised as ‘substantial’ in impact.

High profile attacks in Australia and overseas have included a sustained malware campaign targeted at the health sector², a phishing campaign deploying emotet malware, spear phishing campaigns targeting people with administrator or other high-level access, and denial of service attacks. The continuing trend towards digital delivery of government services has increased the vulnerability of organisations to cyber threats.

The COVID-19 pandemic has increased these risks. It has increased Australian dependence on the internet – to work remotely, to access services and information, and to communicate and continue our daily lives. Traditional security policies within an organisation’s perimeter are harder to enforce in networks made up of home and other private networks, and assets the organisation does not manage. This has increased the cyber risks for NSW Government agencies.

In March 2020, Service NSW suffered two cyber security incidents in short succession. Technical analysis undertaken by the Department of Customer Service (DCS) concluded that these cyber breaches resulted from a phishing exercise through which external threat actors gained access to the email accounts of 47 staff members. These attacks resulted in the breach of a large amount of personal customer information contained in these email accounts. These attacks were the subject of the Auditor-General's report on Service NSW's handling of personal information tabled on 18 December 2020.

This audit also follows two significant performance audits. Managing cyber risks, tabled on 13 July 2021 found Transport for NSW and Sydney Trains were not effectively managing their cyber security risks. Integrity of data in the Births, Deaths and Marriages Register, tabled 7 April 2020 found that although there are controls in place to prevent and detect unauthorised access to, and activity in the register, there were significant gaps in these controls.

The NSW Cyber Security Policy (CSP) was issued by Cyber Security NSW, a business unit within the Department of Customer Service, and took effect from 1 February 2019. It applies to all NSW Government departments and public service agencies, including statutory authorities. Of the 104 agencies in the NSW public sector that self-assessed their maturity implementing the mandatory requirements, only five assessed their maturity at level three or above (on the five point maturity scale). This means that, according to their own self-assessments, 99 agencies practiced requirements within the framework in what the CSP’s maturity model describes as an ad hoc manner, or they did not practice the requirement at all. Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cybersecurity and resilience as a matter of priority.

This audit looks specifically at the compliance of nine key agencies with the CSP. It looks at their achievement implementing the requirements of the policy, the accuracy of their self-assessments and the attestations they made as to their compliance with the CSP.

The CSP outlines the mandatory requirements to which all NSW Government departments and public service agencies must adhere. It seeks to ensure cyber security risks to agencies’ information and systems are appropriately managed. The key areas of responsibility for agencies are:

• Lead - Agencies must implement cyber security planning and governance and report against the requirements outlined in the CSP and other cyber security measures.
• Prepare - Agencies must build and support a cyber security culture across their agency and NSW Government more broadly.
• Prevent - Agencies must manage cyber security risks to safeguard and secure their information and systems.
• Detect/Respond/Recover - Agencies must improve their resilience including their ability to rapidly detect cyber incidents and respond appropriately.
• Report - Agencies must report against the requirements outlined in the CSP and other cyber security measures.

DCS has only recommended, but not mandated the CSP for state owned corporations, local councils and universities.

NSW Government agencies must include an attestation on cyber security in their annual report and provide a copy to Cyber Security NSW by 31 August each year stating whether, for the preceding financial year, the agency has:

• assessed its cyber security risks
• appropriately addressed cyber security at agency governance forums
• a cyber incident response plan that is integrated with the security components of business continuity arrangements, and the response plan has been tested during the previous 12 months (involving senior business executives)
• certified the agency’s Information Security Management System (ISMS) or confirmed the agency’s Cyber Security Framework (CSF)
• a plan to continuously improve the management of cyber security governance and resilience.

The purpose of the attestation is to focus the agency's attention on its cyber risks and the mitigation of those risks.

Agencies assess their level of compliance in accordance with a maturity model. The CSP does not mandate a minimum maturity threshold for any requirement, including implementation of the Australian Cyber Security Centre's (ACSC) Essential 8 Strategies to Mitigate Cyber Security Incidents (Essential 8).

Agencies are required to set a target maturity level based on their risk appetite for each requirement, seek continual improvement in their maturity, and annually assess their maturity on an ascending scale of one to five for all requirements (refer to Appendix two for the maturity model). Each control within the Essential 8 is assessed on an ascending scale of zero to three reflecting the agency's level of alignment with the strategy (refer to Appendix three for the maturity model).

Scope of this audit

We assessed whether agencies had provided accurate reporting on their level of maturity implementing the requirements of the CSP in a documented way and covering all their systems.

The scope of this audit covered nine agencies (the participating agencies). These agencies were selected because they are the lead agency in their cluster, or have a significant digital presence within their respective cluster. The list of participating agencies is in section 1.2. The audit aimed to determine whether, during the year to 30th June 2020, the participating agencies:

• met their reporting obligations under the CSP
• provided accurate reporting in self-assessments against the CSP’s mandatory requirements, including their implementation of the Australian Cyber Security Centre’s (ACSC) Essential 8
• achieved implementation of mandatory requirements at maturity levels which meet or exceed the ‘level three - defined’ threshold (i.e. are documented and practiced on a regular and consistent basis).

While the audit does assess the accuracy of agency self-assessed ratings, the audit did not assess the appropriateness of the maturity ratings.

1. Key findings

The CSP allows agencies to determine their own level of maturity to implement the 'mandatory requirements', which can include not practicing a policy requirement or implementing a policy requirement on an ad hoc basis. These determinations do not need to be justified

Agencies can decide not to implement requirements of the CSP, or they can decide to implement them only in an informal or ad-hoc manner. The CSP allows agencies to determine their desired level of maturity in implementing the requirements on a scale of one to five - level one being 'initial – not practiced' and level five being 'optimised'. The desired level of maturity is determined by the agency based on their own assessment of the risk of the services they provide and the information they hold.

The reporting template for the 2019 version of the CSP stated that level three maturity - where a policy requirement is practiced on a regular and consistent basis and its processes are documented - was required for compliance with the CSP. This requirement was removed in the 2020 revision of the reporting template.

This CSP does not require the decisions on risk tolerance, or the timeframes agencies have set to implement requirements to be documented or formally endorsed by the agency head. There is no requirement to report these decisions to Cyber Security NSW.

Some comparable jurisdictions require formal risk acceptance decisions where requirements are not implemented. The NSW CSP does not have a similar formal requirement

Some jurisdictions, with a similar policy framework to NSW, require agencies to demonstrate reasons for not implementing requirements, and require agency heads to formally acknowledge the residual risk. The NSW CSP does not require these considerations to be documented, nor does it require an explicit acknowledgement and acceptance of the residual risk by the agency head or Cyber Security NSW. The NSW CSP does not require that the records of how agencies considered and decided which measures to adopt to be documented and auditable, limiting transparency and accountability of decisions made.

All of the participating agencies had implemented one or more of the mandatory requirements in an ad hoc or inconsistent basis

All of the participating agencies had implemented one or more of the mandatory requirements at level one or two. Maturity below level three typically means not all elements of the requirement have been implemented, or the requirements have been implemented on an ad-hoc or inconsistent basis.

None of the participating agencies has implemented all of the Essential 8 controls at level one – that is, only partly aligned with the intent of the mitigation strategy

Eight of the nine agencies we audited had not implemented any of the Essential 8 strategies to level three – that is, fully aligned with the intent of the mitigation strategy. At the time of this audit the ACSC advised that:

as a baseline organisations should aim to reach to reach Maturity Level Three for each mitigation strategy³.

The Australian Signals Directorate⁴ currently advises that, with respect to the Essential 8:

[even] level three maturity will not stop adversaries willing and able to invest enough time, money and effort to compromise a target. As such, organisations still need to consider the remainder of the mitigation strategies from the Strategies to Mitigate Cyber Security Incidents and the Australian Government Information Security Manual

All agencies failed to reach even level one maturity for at least three of the Essential 8.

Cyber Security NSW modified the ACSC model for implementation of the Essential 8

The NSW maturity model used for the Essential 8 does not fully align with the ACSC’s model. At the time of this audit the major difference was the inclusion of level zero in the NSW CSP maturity scale. Level zero broadly means that the relevant cyber mitigation strategy is not implemented or is not applied consistently. Level zero had been removed by the ACSC in February 2019 and was not part of the framework at the time of this audit. It was re-introduced in July 2021 when the ACSC revised the detailed criteria for each element of the essential 8 maturity model. The indicators to reach level one on the new ACSC model are more detailed, specific and rigorous than those currently prescribed for NSW Government agencies. Cyber Security NSW asserted the level zero on the CSP maturity scale:

is not identical to the level zero of the ACSC’s previous Essential 8 maturity model, but is a NSW-specific inclusion designed to prevent agencies incorrectly assessing as level one when they have not achieved that level.

Attestations did not accurately reflect whether agencies implemented the requirements

Of the nine participating agencies, seven did not modify the proforma wording in their attestation to reflect their actual situation. Despite known gaps in their implementation of mandatory requirements, these agencies stated that they had 'managed cyber security risks in a manner consistent with the Mandatory Requirements set out in the NSW Government Cyber Security Policy'. Only two agencies modified the wording of the attestation to reflect their actual situation.

Attestations should be accurate so that agencies’ and the government’s response to the risk of cyber attack is properly informed by an understanding of the gaps in agency implementation of the policy requirements and the Essential 8. Without accurate information about these gaps, subsequent decisions as to prioritisation of effort and deployment of resources are unlikely to effectively mitigate the risks faced by NSW Government agencies.

Participating agencies were not able to support all of their self-assessments with evidence and had overstated their maturity assessments, limiting the effectiveness of agency risk management approaches

Seven of the nine participating agencies reported levels of maturity against both the mandatory requirements and the Essential 8 that were not supported by evidence.

Each of the nine participating agencies for this audit had overstated their level of maturity against at least one of the 20 mandatory requirements. Seven agencies were not able to provide evidence to support their self-assessed ratings for the Essential 8 controls.

Where agency staff over-assess the current state of their cyber resilience, it can undermine the effectiveness of subsequent decision making by Agency Heads and those charged with governance. It means that actions taken in mitigating cyber risks are less likely to be appropriate and that gaps in implementing cyber security measures will remain, exposing them to cyber attack.

Agencies' self-assessments across government exposed poor levels of maturity in implementing the mandatory requirements and the Essential 8 controls

We reviewed the data 104 NSW agencies provided to Cyber Security NSW. The 104 agencies includes nine audited agencies referred to in more detail in this report. Our review of the 104 agency self-assessment returns submitted to Cyber Security NSW highlighted that, consistent with previous years, there remains reported poor levels of cyber security maturity. We reported the previous years’ self-assessments in the Central Agencies 2019 Report to Parliament and the Central Agencies 2020 Report to Parliament.

Only five out of the 104 agencies self-assessed that they had implemented all of the mandatory requirements at level three or above (against the five point scale). Fourteen agencies self-assessed that they had implemented each of the Essential 8 controls at level one maturity or higher (using Cyber NSW’s four point scale). The remainder reported at level zero for implementation of one or more of the Essential 8 controls, meaning that for the majority of agencies the cyber mitigation strategy has not been implemented, or is applied inconsistently.

Where agencies had reported in both 2019 and 2020, agencies’ self-assessments showed little improvement over the previous year’s self-assessments:

• 14 agencies reported improvement across both the Essential 8 and the mandatory requirements
• 8 agencies reported a net decline in both the Essential 8 and the mandatory requirements.

The poor levels of maturity in implementing the Essential 8 over the last couple of years is an area of significant concern that requires better leadership and resourcing to prioritise the required significant improvement in agency cyber security measures.

2. Recommendations

Cyber Security NSW should:

1. monitor and report compliance with the CSP by:

• obtaining objective assurance over the accuracy of self-assessments
• requiring agencies to resolve inaccurate or anomalous self-assessments where these are apparent

2. require agencies to report:

• the target level of maturity for each mandatory requirement they have determined appropriate for their agency
• the agency head's acceptance of the residual risk where the target levels are low

3. identify and challenge discrepancies between agencies' target maturity levels and the risks of the information they hold and services they provide

4. more closely align their policy with the most current version of the ACSC model.

Participating agencies should:

5. resolve the discrepancies between their reported level of maturity and the level they are able to demonstrate with evidence, and:

• compile and retain in accessible form the artefacts that demonstrate the basis of their self-assessments
• refer to the CSP guidance when determining their current level of maturity
• ensure the attestations they make refer to departures from the CSP
• have processes whereby the agency head and those charged with governance formally accept the residual cyber risks.

Repeat recommendation from the 2019 Central Agencies report and the 2020 Central Agencies report

6. Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cyber security and resilience as a matter of urgency.

The objective of the CSP is to ensure cyber security risks are appropriately managed. However, meeting this objective depends on the requirements being implemented at all agencies to a level of maturity that addresses their specific cyber security risks. Agency systems and data are increasingly interconnected. If an agency does not implement the requirements, or implements them only in an ad-hoc or informal way, an agency is more susceptible to their systems and data being compromised, which may affect the confidentiality of citizens' data and the reliability of services, including critical infrastructure services.

Agencies determine their own target level of maturity, which may mean the requirement is not addressed, or is addressed in an ad hoc or inconsistent way

While the CSP is mandatory for all agencies, it does not set a minimum maturity threshold for agencies to meet.

The reporting template issued in 2019 stated that agencies were required to reach level three maturity in order to comply with the CSP. The 2020 revision⁶ of the CSP and guidance indicates that level three maturity may not be sufficient to mitigate risks. It advises the agency may determine the level to which it believes it is suitable to implement the requirements, and allows for an agency to aim for a target level of maturity less than level three. The agency can set its optimal maturity level with reference to its risk tolerance with the objective that that aim ‘to be as high as possible’. However, ‘as high as possible’ does not necessarily mean ‘fully implemented’. The CSP contemplates that a lower level of maturity is sufficient if it aligns with the agency's risk tolerance.

The Department of Customer Service asserts that while the quotes above were part of their annual templates and policy documents, their documents were incorrect. They assert that the policy has never required a minimum level of maturity to be reached. They have responded to our enquiries that:

…a level three maturity was not a requirement of the Policy or Maturity Model’ and ‘it is misleading to suggest it was a requirement of the Policy.

This audit found that, based on the 2020 reporting template there is no established minimum baseline. Consequently, because the Department of Customer Service had not established a minimum baseline agencies are able to target lower levels (providing they were within the agency’s own risk appetite), which includes targeting to not practice a CSP policy requirement, or to practice a CSP policy requirement on an ad hoc basis.

Where requirements are not implemented, documentation of formal acceptance of the residual risks by the agency head is not required

The New Zealand Government has an approach that is not dissimilar to NSW, in that it also identifies 20 mandatory requirements and allows for a risk based approach to implementation. However, the New Zealand approach puts more rigor around risk acceptance decisions.

The New Zealand Government requires that agencies that do not implement the requirements must demonstrate that a measure is not relevant for them. It requires agencies to document the rationale for not implementing the measure, including explicit acknowledgement of the residual risk by the agency head. They require these records to be auditable.

A security measure with a ‘must’ or ‘must not’ compliance requirement is mandatory. You must implement or follow mandatory security measures unless you can demonstrate that a measure is not relevant in your context.

Not using a security measure without due consideration may increase residual risk for your organisation. This residual risk needs to be agreed and acknowledged by your organisation head.

A formal auditable record of how you considered and decided which measures to adopt is required as part of the governance and assurance processes within your organisation.

The NSW CSP does not require these considerations to be documented or auditable and does not require an explicit acknowledgement or acceptance of the residual risk by the agency head.

None of the participating agencies achieved level three implementation for all mandatory risk prevention and mitigation requirements

Maturity level three is the minimum level whereby an agency has implemented documented processes that are practiced on a regular basis across their environment. An agency has not reached level three if the requirement is implemented on an ad-hoc or inconsistent basis, or if not all elements of the requirement have been implemented.

None of the participating agencies achieved level three implementation for all mandatory requirements.

The requirements of the CSP are organised into five sections. Agency implementation of these requirements is discussed in the next five sections of this report.

• Lead: Planning and governance requirements. Section 2.1
• Prepare: Cyber security culture requirements. Section 2.2
• Prevent: Managing cyber incident prevention requirements. Section 2.3
• Detect/Respond/Recover: Resilience requirements. Section 2.4
• Report: Reporting requirements. Section 2.5.

Appendix one – Response from agencies

Appendix two – The maturity model for the mandatory requirements

Appendix three – Essential 8 maturity model

Appendix four – About the audit

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

What the report is about

This audit assessed how effectively Transport for NSW (TfNSW) and Sydney Trains identify and manage their cyber security risks.

The NSW Cyber Security Policy (CSP) sets out 25 mandatory requirements for agencies, including implementing the Australian Cyber Security Centre’s Essential 8 strategies to mitigate cyber security incidents, and identifying the agency’s most vital systems, their ‘crown jewels’. 

The audited agencies have requested that we do not disclose detail of the significant vulnerabilities detected during the audit, as these vulnerabilities are not yet remediated. We provided a detailed report to the agencies in December 2020 outlining significant issues identified in the audit. We have conceded to the agencies' request but it is disappointing that transparency to the Parliament and the public on issues that potentially directly affect them needs to be limited in this way.

What we found

TfNSW and Sydney Trains are not effectively managing their cyber security risks.

Both agencies have assessed their cyber security risks as unacceptably high and both agencies had not identified all of the risks we detected during this audit – some of which are significant.

Both agencies have cyber security plans in place that aim to address cyber security risks. TfNSW and Sydney Trains have combined this into the Transport Cyber Defence Rolling Program, part of the Cyber Defence Portfolio (CDP). 

However, neither agency has reached its target ratings for the CSP and the Essential 8 and maturity is low in relation to significant risks and vulnerabilities exposed.

Further, neither agency is fostering a culture where cyber security risk management is an important and valued aspect of decision-making.

TfNSW is not implementing cyber security training effectively across the cluster with only 7.2% of staff having completed basic cyber security training.

What we recommended

TfNSW and Sydney Trains should:

• develop and implement a plan to uplift the Essential 8 controls to the agency's target state
• as a matter of priority, address the vulnerabilities identified as part of this audit and previously described in a detailed Audit Office report provided to both agencies
• ensure cyber security risk reporting to executives and the Audit and Risk Committee
• collect supporting information for the CSP self assessments 
• classify all information and systems according to importance and integrate this with the crown jewels identification process
• require more rigorous analysis to re-prioritise CDP funding 
• increase uptake of cyber security training.

TfNSW should assess the appropriateness of its target rating for each of the CSP mandatory requirements.

Department of Customer Service should:

• clarify the requirement for the CSP reporting to apply to all systems
• require agencies to report the target level of maturity for each mandatory requirement.

Response to requests by audited agencies to remove information from this report

In preparing this audit report, I have considered how best to balance the need to support public accountability and transparency with the need to avoid revealing information that could pose additional risk to agencies’ systems. This has involved an assessment of the appropriate level of detail to include in the report about the cyber security vulnerabilities identified in this audit.

In making this assessment, the audit team consulted with Transport for NSW (TfNSW), Sydney Trains, and Cyber Security NSW to identify content which could potentially pose a threat to the agencies’ cyber security.

In December 2020, my office also provided TfNSW and Sydney Trains with a detailed report of many of the significant vulnerabilities identified in this audit, to enable the agencies to address the cyber security risks identified. The detailed report was produced as a result of a 'red team' exercise, which was conducted with both agencies' knowledge and consent. The scope of this exercise reflected the significant input provided by both agencies. More information on this exercise is at page 12 of this report.

TfNSW and Sydney Trains have advised that in the six months from December 2020 and at the time of tabling this audit report, they have not yet remediated all the vulnerabilities identified. As a result, they, along with Cyber Security NSW, have requested that we not disclose all information contained in this audit report to reduce the likelihood of an attack on their systems and resulting harm to the community. I have conceded to this request because the vulnerabilities identified have not yet been remediated and leave the agencies exposed to significant risk.

It should be stressed that the risks identified in the detailed report exist due to the continued presence of these previously identified vulnerabilities, rather than due to their potential publication. The audited agencies, alone, are accountable for remediating these vulnerabilities and addressing the risks they pose.

It is disappointing that transparency to the Parliament and the public on issues that potentially directly affect them needs to be limited in this way.

That said, the conclusions drawn in this report are significant in terms of risk and remain valid, and the recommendations should be acted upon with urgency.

Cyber security risk is an increasing area of concern for governments in Australia and around the world. In recent years, there have been a number of high-profile cyber security attacks on government entities in Australia, including in New South Wales. Malicious cyber activity in Australia is increasing in frequency, scale, and sophistication. The Audit Office of New South Wales is responding to these risks with a program of audits in this area, which aim to identify the effectiveness of particular agencies in managing cyber risks, as well as their compliance with relevant policy.

Cyber Security NSW, part of the Department of Customer Service (DCS) releases and manages the NSW Cyber Security Policy (CSP). The CSP sets out 25 mandatory requirements for agencies, including making it mandatory for agencies to implement the Australian Cyber Security Centre Essential 8 Strategies to Mitigate Cyber Security Incidents (the Essential 8). The Essential 8 are key controls which serve as a baseline set of protections which agencies can put in place to make it more difficult for adversaries to compromise a system. Agencies are required to self-assess their maturity against the CSP and the Essential 8, and report that assessment to Cyber Security NSW annually.

The CSP makes agencies responsible for identifying and managing their cyber security risks. The CSP sets out responsibilities and governance regarding risk identification, including making agencies responsible for identifying their 'crown jewels', the agency's most valuable and operationally vital systems. Once these risks are identified, agencies are responsible for developing a cyber security plan to mitigate those risks.

This audit focussed on two agencies: Transport for NSW (TfNSW) and Sydney Trains. TfNSW is the lead agency for the Transport cluster and provides a number of IT services to the entire cluster, including Sydney Trains. This audit focussed on the activities of TfNSW's Transport IT function, which is responsible for providing cyber security across the cluster, as well as directly overseeing four of TfNSW's crown jewels. Sydney Trains is one of the agencies in the Transport cluster. While it receives some services from TfNSW, it is also responsible for implementing its own IT controls, as well as controls to protect its Operational Technology (OT) environment. This OT environment includes systems which are necessary for the operation and safety of the train network.

To test the mitigations in place and the effectiveness of controls, this audit involved a 'red team' simulated exercise. A red team involves authorised attackers seeking to achieve certain objectives within the target's environment. The red team simulated a determined external cyber threat actor seeking to gain access to TfNSW's systems. The red team also sought to test the physical security of some Sydney Trains' sites relevant to the agency's cyber security. The red team exercise was conducted with the knowledge of TfNSW and Sydney Trains.

This audit included the Department of Customer Service as an auditee, as they have ownership of the CSP through Cyber Security NSW. This audit did not examine the management of cyber risk in the Department of Customer Service.

This audit assessed how effectively selected agencies identify and manage their cyber security risks. The audit assessed this with the following criteria:

• Are agencies effectively identifying and planning for their cyber security risks?
• Are agencies effectively managing their cyber security risks?

Following this in-depth portfolio assessment, the Auditor-General for NSW will also table a report on NSW agencies' compliance with the CSP in the first quarter of 2021–22.

Agencies have assessed their cyber risks as being above acceptable levels

An agency's risk tolerance is the amount of risk which the agency will accept or tolerate without developing further strategies to modify the level of risk. Risks that are within an agency's risk tolerance may not require further mitigation and may be deemed acceptable, while risks which are above the agency's risk tolerance likely require further mitigation before they become acceptable to the agency.

Both agencies have defined their risk tolerance and have identified risks which are above this level, indicating that they are unacceptable to the agency. TfNSW has defined 'very high' risks as generally intolerable and 'high' risks as undesirable. Its risk tolerance is 'medium'. Sydney Trains has four classifications of risk: A, B, C and D. A and B risks are deemed 'unacceptable' and 'undesirable' respectively, while C risks are considered 'tolerable'. This aligns with the TfNSW definition of a medium risk tolerance.

Transport IT reported five enterprise-level cyber security risks through its enterprise risk reporting tool in September 2020, all of which relate to cyber security or have causes relating to cyber security. These risks are in aggregate form, rather than relating to specific vulnerabilities. At the time of the audit, one of these risks was rated as very high and the other four rated as high. At this time, Transport IT had identified a further seven divisional-level risks which were above the agency’s risk tolerance.

Similarly, Sydney Trains has identified one main cyber security risk in its IT enterprise-level risk register and another with a potential cyber cause. Both of these IT risks are deemed to have a residual risk of ‘unacceptable’.

Similarly, two cyber-related OT risks have been determined to be above the agency's risk tolerance. One risk is rated as 'unacceptable'. Another risk, while not entirely cyber rated, is rated 'undesirable' and is deemed to have some causes which may stem from a cyber-attack.

Agencies have assessed their current cyber risk mitigations as requiring improvement

In addition to the risk ratings stated above, at the time of the audit neither agency believed that its controls were operating effectively. Transport IT had rated the control environments for its cyber security enterprise risks as 'requires improvement'. Mitigations were listed in the risk register for these risks but, in some cases, they were unlikely to reduce the risk to the target state or by the target date. For example, one risk had actions listed as 'under review' and no further treatment actions listed, but a due date of July 2021, while another risk was being treated by the CDP with a due date of July 2021. The CDP identified in May 2020 that while the average risk identified as part of that program will be reduced to a medium level by this date, ten high risks will still remain. Given the delays in the program, this number may be higher. As such, it seems unlikely that the enterprise risk will be reduced to below a 'high' level by July 2021.

Sydney Trains’ IT and OT risk registers cross-reference controls and mitigations against the causes and consequences. The IT cyber security risk identified in the register had causes with no mitigations designed for them. Further, some of these causes did not have future mitigations designed for them. This risk also had controls in place which are identified as partially effective. For the unacceptable OT risk noted above, while there was a control designed for each of the potential causes, Sydney Trains had identified all of the controls in place as either partially effective or ineffective. This indicates that Sydney Trains was not effectively mitigating the causes of its cyber risks and, even where it had designed controls or mitigations, these were not always implemented to fully mitigate the cause of the risk.

Additional information on gaps in cyber mitigations which were exposed in the course of this audit has been detailed to both agencies. The Foreword of this report provides information about why this detail is not included here.

Essential 8 maturity is low across TfNSW and Sydney Trains and little progress was made in 2020

CSP mandatory requirement 3.2 states that agencies must implement the ACSC Essential 8. Agencies must also rate themselves against each of the Essential 8 on a maturity scale from zero to three and report this to Cyber Security NSW. A full list of the Essential 8 can be found in Exhibit 1. Both agencies have a low level of maturity against the Essential 8 not just in comparison to the targets they have set, but also in relation to the risks and vulnerabilities exposed. Both agencies have set target maturity ratings for the Essential 8 but none of the Essential 8 ratings across either agency are currently implemented to this level. Having a low level of Essential 8 maturity exposes both agencies to significant risks and vulnerabilities. Little progress was made between the 2019 and 2020 attestation periods.

Transport IT has set a target rating of three across all of the Essential 8. Sydney Trains has set a target rating of three for its IT systems. Sydney Trains had an interim target of two for its OT systems in 2020 and advised that this has since increased to three. It should be noted that not all the Essential 8 are applicable to OT systems.

None of the Essential 8 ratings across either agency are currently implemented to the target levels. Given that the Essential 8 provide the controls which are most commonly able to deter cyber-attacks, having maturity at a low level potentially exposes agencies to a cyber security attack.

Some work is underway across both TfNSW and Sydney Trains to improve the Essential 8 control ratings. The CDP provided some resources to the Essential 8 over 2019–20, with uplift focusing on specific systems. The CDP work in 2019 and 2020 relevant to the Essential 8 largely focussed on determining the current state of the Essential 8 and creating a target state roadmap. As a result, there was little improvement between the 2019 and 2020 attestation periods. The CDP has a workstream for the Essential 8 in its FY 2020–21 funding allocation, however as noted above in Exhibit 6 this was delayed as resources were redeployed to Project La Brea. Regardless, work on some specific aspects of the Essential 8 remain part of the 2020–21 CDP allocation, with workstreams allocated to improving three of the Essential 8. In addition, some work from Project La Brea should lead to an improvement in the Essential 8.

Sydney Trains' Cyber Uplift Program included a workstream which had in scope the uplift in the Essential 8 in IT. There were also other workstreams which aimed to improve some of the Essential 8 for OT systems. Work is also ongoing as part of the CDP to uplift these scores in Sydney Trains.

TfNSW and Sydney Trains have not reached their target maturity across the CSP mandatory requirements and TfNSW has not evaluated its cluster-wide target to ensure it is appropriate

Cyber Security NSW allows each agency to determine its target level of maturity for the first 20 CSP mandatory requirements. Agencies can tailor their target levels to their risk profile. Not reaching the target rating of the CSP mandatory requirements risks information and systems being managed inconsistently or not in alignment with good governance principles.

Sydney Trains has set its target level of maturity for IT and OT. All of Sydney Trains' target maturity levels are at least a three (defined), with a target of four (quantitatively managed) for many of the mandatory requirements. While Cyber Security NSW does not currently mandate a minimum level of maturity, in 2019 there was a requirement for each agency to target a minimum level of three.

Sydney Trains has not met its target ratings across the mandatory requirements.

The Transport Cyber Defence Rolling Program has a program KPI to ensure that the entire cluster reaches a minimum maturity level of three against all the CSP requirements by 2023. TfNSW has not reviewed its CSP mandatory requirement targets to determine if a three is desirable for all requirements or if a higher target level may be more appropriate. It is important for senior management to set cyber security objectives as a demonstration of leadership and a commitment to cyber security.

TfNSW has not met its target ratings across the mandatory requirements for its Group IT ISMS, which was the focus of this audit.

Both agencies claimed progress in their implementation of the mandatory requirements between 2019 and 2020. The audit did not seek to verify the self-assessed results from either agency.

Both agencies operate ISMS in line with the CSP

CSP mandatory requirement 3.1 requires agencies to implement an Information Security Management System (ISMS) or Cyber Security Framework (CSF), with scope at least covering systems identified as the agency's ‘crown jewels’. The ISMS or CSF should be compliant with, or modelled on, one or more recognised IT or OT standard. As noted in the introduction, an ISMS ‘consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organisation, in the pursuit of protecting its information assets.’ Both agencies operate an ISMS compliant with the CSP requirement.

As noted in the introduction, TfNSW operates four ISMS. The Transport IT ISMS is certified against ISO27001, the most common standard for ISMS certification. Three of TfNSW’s six crown jewels are managed within this ISMS. The other ISMS are not certified to relevant standards, though TfNSW claims that they align with relevant controls. This is sufficient for the purposes of the CSP.

Sydney Trains operates two ISMS, one for IT and another for OT. Neither of these are certified to relevant ISMS Standards, however there have been conformance reviews of both IT and OT with relevant standards. These ISMS cover all crown jewels in the agency.

There are currently 11 ISMS in operation across the Transport cluster. TfNSW has proposed moving towards a holistic approach to these ISMS, with the CDP Board responsible for governing the available security controls and directing agency IT and OT teams to implement these.

Agencies are not routinely conducting audits of third-party suppliers to ensure compliance with contractual obligations

CSP mandatory requirement 1.5 makes agencies accountable for the cyber risks of their ICT service providers and ensuring that providers comply with the CSP and any other relevant agency security policies. The ACSC has provided advice on what organisations should do when managing third party suppliers of ICT. The ACSC advises that organisations should use contracts to define cyber security expectations and seek assurance to ensure that these contract expectations are being met. While both agencies usually include specific cyber security expectations in contracts, neither is routinely seeking assurance that these expectations are being met.

The NSW Government has mandated the use of the 'Core& One' contract template for low-value IT procurements and the Procure IT contract template for high-value IT procurements. Both of these contracts contain space for the procuring agency to include cyber security controls for the contractor to implement. The Procure IT contract template also includes a right-to-audit clause which allows agencies to receive assurance around the implementation of these controls. TfNSW and Sydney Trains used the mandated contracts for relevant contracts examined as part of this audit.

TfNSW included security controls in all the contracts examined as part of this audit. Compliance with ISO27001 was the most commonly stated security expectation. Of the contracts examined as part of this audit, only one contract did not have a right-to-audit clause. This contract was signed in October 2016. While these clauses are in place, TfNSW rarely conducted these audits on its third-party providers. Of the eight TfNSW contracts examined in detail, only two of these had been audited to confirm compliance with the stated security controls.

Sydney Trains included security controls in all but one of the contracts examined as part of this audit. Sydney Trains did not require contractors to be compliant with ISO27001, but only required compliance with whole-of-government policies. Sydney Trains does not routinely conduct audits of its third-party suppliers, however it did conduct deep-dive risk analyses of its top ten highest risk IT suppliers. This involved a detailed review of both the suppliers' security posture and also the contract underpinning the relationship with the supplier.

The CDP funding for 2020–21 includes a workstream for strategic third-party contract remediation. This funding is to conduct some foundational work which will allow the CDP to make further improvements in future years. While this funding will not address gaps in contract requirements or management across all contracts, this workstream aims to reduce the risks posed by strategic suppliers covering critical assets. Similarly, work is currently underway as part of the CDP to conduct OT risk assessments for key suppliers to Sydney Trains in a similar way to the work undertaken for IT suppliers.

Sydney Trains has risk assessed its third-party suppliers but TfNSW has not done so

It is important to conduct a risk assessment of suppliers to identify high-risk contractors. This allows agencies to identify those contractors who may require additional controls stated in the contract, those who require additional oversight, and also where auditing resources are best targeted.

Sydney Trains has risk assessed all its IT suppliers and, as noted above, has conducted a deep-dive risk analysis of its top ten highest risk suppliers. TfNSW has not undertaken similar analysis of its key suppliers, however it has identified risks attached to each of its strategic suppliers and has documented these. As a result of not risk assessing its suppliers, TfNSW cannot take a targeted approach to its contract management.

TfNSW demonstrated poor records handling relating to the contracts examined as part of this audit

TfNSW was not able to locate one of the contracts requested as part of the audit's sample. Other documentation, such as contract management plans, could not be located for many of the other contracts requested as part of this audit. These poor document handling practices limits TfNSW's ability to effectively oversee service providers and ensure that they are implementing agreed controls. It also limits public transparency on the effectiveness of these controls.

The Transport cluster is not effectively implementing cyber security awareness training

Agencies are responsible for implementing regular cyber security education for all employees and contractors under mandatory requirement 2.1 in the CSP. TfNSW is responsible for delivering this training to the whole Transport cluster, including Sydney Trains. The Transport cluster has basic cyber awareness training available for all staff. TfNSW also offers additional training provided by Cyber Security NSW targeted at executives and executive assistants. While TfNSW has training available to staff, it is not delivering this effectively. TfNSW does not make training mandatory for most staff nor does it require staff to repeat training regularly. Even among those staff who have been assigned the training, completion rates are low, meaning that delivery is not effectively monitored. Cyber security training is important for building and supporting a cyber security culture.

TfNSW is responsible for creating and rolling out all forms of training to agencies within the Transport cluster. Both TfNSW and Sydney Trains have the same mandatory cyber awareness training that is automatically assigned to new starters. At the time of the audit, this training was not mandatory for ongoing staff. TfNSW does make additional cyber security training available to staff who can choose to undertake the training themselves, or can be assigned the training by their manager. All TfNSW cyber security training is delivered via online modules and it is the responsibility of managers to ensure that it is completed.

Cyber security training completion rates for both TfNSW and Sydney Trains are low. Only 13.5 per cent of staff across the Transport cluster had been assigned the Cyber Safety for New Starters training as of January 2021. Although this course is mandatory for new starters, only 53 per cent of staff assigned the Cyber Safety for New Starters training module had completed the course by January 2021. As a result, only 7.2 per cent of staff across the entire Transport cluster had completed this training at that time. In Sydney Trains, less than one per cent of staff had completed this training as at January 2021 and a further 7.6 per cent of staff have completed the 'Cyber Security: Beyond the Basics' training. These low completion rates indicate that TfNSW is not effectively rolling out cyber security training across the cluster.

In October 2020, the Department of Customer Service released 'DCS-2020-05 Cyber Security NSW Directive - Practice Requirement for NSW Government', which made annual cyber security training mandatory for all staff from 2021. In line with this requirement, TfNSW has advised that it will be gradually implementing mandatory annual training from July 2021 for all staff.

The Transport cluster undertakes activities to build a cyber-aware culture in accordance with the CSP, but awareness remains low

Increasing staff awareness of cyber security risks and maintaining a cyber secure culture are both mandatory requirements of the CSP. While TfNSW does undertake some activities to build a cyber aware culture, awareness of cyber security risks remains low. This can be demonstrated by the low training rates outlined above, and the 'Spot the Scammer' exercise, described in Exhibit 7. TfNSW is responsible for delivering these awareness raising activities across the cluster.

TfNSW frequently communicates with staff across the Transport cluster about various cyber security risks through multiple avenues. Both agencies use the intranet, emails and other awareness raising activities to highlight the importance for staff to be aware of the seriousness of cyber risks. Advice given on the intranet includes tips for spotting scammers on mobile phones, promoting the cluster-wide training courses, as well as various advice that staff could use when dealing with cyber risks in the workplace.

In addition to these awareness raising activities, TfNSW has also undertaken a cluster-wide phishing email exercise called 'Spot the Scammer'. This is outlined in Exhibit 7. This exercise was carried out in 2019 and 2020 and allowed the Transport cluster to measure the degree to which staff were able to identify phishing emails. As can be seen in Exhibit 7, the results of this exercise indicate that staff awareness of phishing emails remains low.

Appendix one – Response from agencies

Appendix two – Cyber Security Policy mandatory requirements

Appendix three – About the audit

Appendix four – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #353 - released (13 July 2021).

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining the effectiveness of Service NSW’s handling of customers’ personal information to ensure its privacy.

The audit found that Service NSW is not effectively handling personal customer and business information to ensure its privacy. Service NSW continues to use business processes that pose a risk to the privacy of personal information. This includes the routine emailing of personal information between Service NSW service centres and other agencies, which is one of the processes that contributed to the data breach earlier this year. The audit found that previously identified risks and recommended solutions had not been implemented on a timely basis.

The Auditor-General made eight recommendations aimed at ensuring improved processes, technologies, and governance arrangements for how Service NSW handles customers’ personal information.

The Hon. Victor Dominello, MP, Minister for Customer Service, requested this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983 following public reports in May 2020 of a cyber security attack which had led to a breach of Service NSW customer information. This audit also included the Department of Customer Service which supports Service NSW with privacy, risk and governance functions.

Service NSW was established in 2013 with the intention that it would, over time, 'become the primary interaction point for customers accessing New South Wales Government transaction services'.

Service NSW's functions are set out in the Service NSW (One stop Access to Government Services) Act 2013. This legislation allows for other NSW Government agencies to delegate to and enter into agreements with the Chief Executive Officer of Service NSW in order for Service NSW to undertake service functions for the agency.

Service NSW now has agreements with 36 NSW Government client agencies to facilitate over 1,200 types of interactions and transactions for the community.

The nature of each agreement between Service NSW and its client agencies varies. Some client agencies have delegated authority to allow Service NSW staff to conduct transactions on their behalf in the agencies' systems. Other arrangements do not include the same degree of delegation. In these cases, Service NSW provides services such as responding to enquiries and validating documents.

In addition, Service NSW conducts transactions for its own programs, such as the Seniors Card. Personal information for these programs, as well as information for customers' MyServiceNSW accounts, are stored by Service NSW on its Salesforce Customer Relationship Management (CRM) system.

In March 2020, Service NSW suffered two cyber security attacks in short succession. Technical analysis undertaken by the Department of Customer Service (DCS) concluded that these attacks resulted from a phishing exercise through which external threat actors gained access to the email accounts of 47 staff members. These attacks resulted in the breach of a large amount of personal customer information that was contained in these email accounts. See Section 1.1 for further details.

This audit is being conducted in response to a request from the Hon. Victor Dominello, Minister for Customer Service, under section 27B(3)(c) of the Public Finance and Audit Act 1983. Minister Dominello requested that the Auditor General conduct a performance audit in relation to Service NSW's handling of sensitive customer and business information.

This audit assessed how effectively Service NSW handles personal customer and business information to ensure its privacy.

It addressed the following:

• Does Service NSW have processes and governance in place to identify and manage risks to the privacy of personal customer and business information?
• Does Service NSW have policies, processes and systems in place that support the effective handling of personal customer and business information to ensure its privacy?
• Has Service NSW effectively implemented its policies, processes and systems for managing personal customer and business information?

1. Key findings

Service NSW identifies privacy risks, but the controls and processes it put in place to mitigate these privacy risks were not adequate to prevent or limit the extent of the data breach that occurred in March 2020

Service NSW’s approach to risk management is framed by its Risk Management Guideline, which defines 'privacy and compliance' as one of the key types of risk for the agency. Service NSW's enterprise risk register identifies four strategic privacy related risks. Service NSW has set out a zero level appetite for privacy risk in its risk appetite statement.

Service NSW has assessed the adequacy of its controls for privacy risks as needing improvement. To be fully effective, the Risk Management Guideline says that these controls should have a focus that is ‘largely preventative and address the root causes’.

One of the business processes that was a key contributing factor to the data breach was the emailing of personal information by Service NSW staff to client agencies.

This process had been identified as a risk prior to the breach and some steps had been put in place to mitigate the risk. In particular, staff were required to manually delete emails that contained personal information. However, these measures were ineffective in preventing the breach, as the external threat actors still gained access to 47 staff email accounts that contained a large amount of personal information.

It is unclear why Service NSW did not effectively mitigate this risk prior to the breaches. However, Service NSW has advised that it implemented measures in June and October 2020 to automatically archive emails likely to contain personal information. This is expected to limit the quantity of information retained in email accounts for extended periods.

Service NSW has not put in place any technical or other solutions to avoid Service NSW staff having to scan and email personal information to some client agencies. Urgent action is needed to remove the requirement for staff to email personal information to client agencies, thereby mitigating the risk inherent in sending and storing this information using email.

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system, which holds the personal information of over four million customers

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system. These weaknesses include deficiencies in governance of role based access, monitoring and audit of staff access, and partitioning of program specific transaction information. These deficiencies create an increased risk of unauthorised access to the personal information of over four million customers which is stored in this system.

In addition, there is an absence of important controls to safeguard customers' privacy, such as multi factor authentication and reviewable logs of access history to their information. Such controls, when properly implemented, would enhance the control that customers are able to exercise over their personal information.

A privacy impact assessment conducted on Service NSW’s Salesforce CRM system in 2015 recommended that the system include the ability for customers to review access history to their personal information, as well as the option for customers to apply multi factor authentication to their accounts. While both these recommendations appeared positively received by Service NSW, neither have been implemented.

Since its inception, Service NSW’s use of Salesforce has extended to storing transaction data, particularly for transactions for which Service NSW is responsible, such as the Seniors Card. It also holds details of over four million MyServiceNSW account holders, including name, email address and phone number, and optional address details. It was not originally intended for the system to hold this volume and nature of customer information.

Lines of responsibility for meeting privacy obligations are unclear between Service NSW and its client agencies

Service NSW's privacy management plan does not clearly set out the privacy obligations of Service NSW and its client agencies. It sets out that 'compliance with the privacy principles will primarily be the responsibility of that [client] agency'. However, Service NSW has its own obligations under the security principles of the Privacy and Personal Information Protection Act 1998 (PPIP Act) to take reasonable steps to prevent unauthorised access to personal information, which is not made clear in the privacy management plan.

The agreements between Service NSW and client agencies reviewed for this audit only include general and high level references to privacy. Most do not include details of each parties' privacy responsibilities such as: which agency will provide the customer with a privacy notice explaining how their personal information will be handled, how personal information will be kept secure, how long Service NSW will retain information, what processes will be followed for internal reviews, and what specific planning is in place to respond to data breaches.

Service NSW's privacy management plan has not been updated to include new programs and governance changes

Service NSW's privacy management plan includes most of the matters required by law or good practice, with some exceptions. It does not explain any exemptions that the agency commonly relies on under the PPIP Act and does not address any health information that Service NSW may handle. It had also not been updated to reflect governance changes and the fact that, at the time this audit commenced, Service NSW was disclosing the content of internal review applications (the formal expression for 'complaints') to the Department of Customer Service (DCS). These governance changes were part of the centralisation of Service NSW's corporate support functions into DCS in late 2019, though internal review staff were seconded back into Service NSW during the course of this audit.

The current July 2019 privacy management plan has also not been updated since the rollout of a number of major new initiatives in 2020. These include 2019–20 bushfire emergency recovery initiatives (such as small business grants) and COVID 19 pandemic response initiatives (such as small business grants, border permits and the COVID safe check in app).

Service NSW routinely conducts privacy impact assessments for new initiatives, though privacy risks remain in legacy systems and processes

Service NSW routinely conducts privacy impact assessments for major new initiatives and the assessments reviewed for this audit largely accorded with good practice guidance.

Service NSW does not routinely review existing processes and systems to ensure that they are effective in ensuring the privacy of customer personal information. Business processes that create the highest risk to privacy, such as emailing of personal information, are more common in these longstanding legacy systems.

Service NSW's significant and rapid growth has outpaced the establishment of a robust control environment which has exacerbated privacy risks

Since it was established in 2013, Service NSW has experienced significant growth in the number and diversity of the types of transactions it provides, as well as the number of client agencies with which it works. The pace and extent of this growth has contributed to important controls not being properly implemented on a timely basis, which has heightened privacy risks, particularly in regard to existing, legacy systems and processes.

The pace of change and increasing demand for new program implementation has limited the opportunity for Service NSW, in collaboration with its client agencies, to revisit and redesign legacy business practices which pose a greater privacy risk. This includes the scanning and emailing of personal information.

While 2019–20 has seen additional demands placed on Service NSW in responding to the 2019–20 bushfire emergency and COVID 19 pandemic, it is the nature of the agency’s work that it operates in a fast paced and complex environment, where it is required to respond to multiple client agencies and stakeholders. Ensuring customer privacy should be integral to Service NSW’s business as usual operations.

2. Recommendations

Service NSW commissioned a number of external reviews and investigations stemming from the data breaches. The Auditor General's recommendations below have taken these other reviews into account. In order to offer assurance that it is appropriately protecting the privacy of its customers, Service NSW should address the full breadth of findings and recommendations made across all relevant reviews.

As a matter of urgency, Service NSW should:

1. in consultation with relevant client agencies and the Department of Customer Service, implement a solution for a secure method of transferring personal information between Service NSW and client agencies

2. review the need to store scanned copies of personal information and, if still required, implement a more secure method of storing this information and regular deletion of material.

By March 2021, Service NSW should:

3. ensure that all new agreements entered into with client agencies from 1 April 2021 address the deficiencies identified in this audit, including that they provide clarity on:

• the content and provision of privacy collection notices
• the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
• steps that will be taken by each agency to ensure that personal information is kept secure
• the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
• how identified breaches of privacy will be handled between agencies

4. in collaboration with the Department of Customer Service, review its privacy management plan to address the deficiencies raised in this audit, including:

• to clarify Service NSW's understanding of how responsibility for meeting privacy obligations are delineated between Service NSW and client agencies
• to better reflect the full scope and complexity of personal information handled by Service NSW
• to better explain how applications for internal review are handled between Service NSW and the Department of Customer Service
• to ensure regular ongoing review, either according to a schedule or when Service NSW experiences substantial change to its programs and handling of personal information

5. in consultation with the Department of Customer Service, review its policies and processes for the management of privacy risks, including to:

• ensure that there are appropriate mechanisms to escalate identified privacy risks from business units to the Executive Leadership Team
• ensure that there are action plans to address strategic privacy risks that are assessed as having ineffective controls.

By June 2021, Service NSW should:

6. address deficiencies in the controls over, and security for, its Salesforce customer relationship management and related systems that hold customer personal information, including:

• establish policies and processes for regular access reviews and monitoring of user activity in these systems, including for privileged users
• enable partitioning and role based access restrictions to personal information collected for different programs
• provide customers the choice to use multi factor authentication to further secure their MyServiceNSW accounts
• enable customers to view the transaction history of their personal information to detect possible mishandling.

By December 2021, Service NSW should:

7. ensure that all existing agreements with client agencies address the deficiencies identified in this audit, including that they provide clarity on:

• the content and provision of privacy collection notices
• the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
• steps that will be taken by each agency to ensure that personal information is kept secure
• the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
• how identified breaches of privacy will be handled between agencies

8. carry out a risk assessment of all processes, systems and transactions that involve the handling of personal information and undertake a privacy impact assessment for those that:

• are identified as high risk and have not previously had a privacy impact assessment
• have had major changes or updates since the privacy impact assessment was completed.

Appendix one – Responses from agencies

Appendix two – About the audit

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining the management of the One TAFE NSW modernisation program.

In 2016, the Government released 'A Vision for TAFE NSW' which stated that TAFE NSW needed to become more flexible, efficient and competitive. It set out the need to progressively reduce significant cost inefficiencies, including by moving away from separate institutes to a single institute model. TAFE NSW established the One TAFE NSW modernisation program to deliver on that vision.

The Auditor General found that the One TAFE NSW modernisation program did not deliver against its key objectives within planned timeframes. The modernisation program originally aimed to realise $250 million in annual savings from 2018–19. Because of project delays and higher than expected transition costs, TAFE NSW did not meet the original savings target. TAFE NSW has made progress on key elements of the program and anticipates that savings will be realised in coming years.

The report makes two recommendations to improve governance arrangements for delivering on commercial objectives and increasing transparency of non commercial activities. 

The report also identifies a series of lessons for future government transformation programs.

TAFE NSW is the public provider of Vocational Education and Training (VET) in New South Wales. In 2018, TAFE NSW enrolled 436,000 students in more than 1,200 courses at around 130 locations across the State.

There have been major policy changes impacting TAFE NSW over the past decade. Under the Smart and Skilled reform, TAFE NSW started to compete with other Registered Training Organisations (RTOs) for a share of the student market.

In 2016, the NSW Government released 'A Vision for TAFE NSW'. The Vision stated that a failure to adapt to market circumstances had left TAFE NSW with unsustainable costs and inefficiencies. To address this, TAFE NSW needed to become more flexible, efficient and competitive. It set out that TAFE NSW must progressively reduce significant cost inefficiencies, including by moving away from a model of separate institutes to a One  TAFE NSW model. The NSW Government set TAFE NSW a target to achieve savings through implementing the Vision.

TAFE NSW established the One TAFE NSW modernisation program to deliver on that vision. The program initially aimed to deliver savings of $250 million per year from 2018–19, but this target was reviewed and updated as the program was being delivered.

This audit assessed whether TAFE NSW effectively managed the One TAFE NSW modernisation program to deliver on the NSW Government's vision for TAFE NSW. In making this assessment, the audit examined whether:

• delivery of the program was well planned
• the program was driven by sound governance arrangements
• TAFE NSW is making progress against the intended outcomes of the program.

The audit focused on the effectiveness of planning, governance and reporting arrangements. It examined five projects within the overall modernisation program as case studies.

Appendix one – Response from agency

Appendix two – About the audit

Appendix three – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #346 - released 17 December 2020

The Auditor-General for New South Wales, Margaret Crawford today released her report on the findings and recommendations from the 2019–20 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector.

The bushfire and flood emergencies and the COVID‑19 pandemic continue to have a significant impact on the people and public sector of New South Wales. The scale of the government response to these events has been significant. The report focuses on the effectiveness of internal controls and governance processes, including relevant agencies’ response to the emergencies. In particular, the report focuses on:

• financial and information technology controls
• business continuity and disaster recovery planning arrangements
• procurement, including emergency procurement
• delegations that support timely and effective decision-making.

Due to the ongoing impact of COVID‑19 agencies have not yet returned to a business‑as‑usual environment. ‘Agencies will need to assess their response to the recent emergencies and update their business continuity, disaster recovery and other business resilience frameworks to reflect the lessons learnt from these events’ the Auditor-General said.

The report noted that special procurement provisions were put in place to allow agencies to better respond to the COVID-19 pandemic. The Auditor-General recommended agencies update their procurement policies to reflect the current requirements of the NSW Procurement Framework and the emergency procurement requirements.

Read the PDF report

This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2020. These 40 agencies constitute an estimated 85 per cent of total expenditure for all NSW public sector agencies.

1. Internal control trends

2. Information technology controls

3. Business continuity and disaster recovery planning

4. Procurement, including emergency procurement

5. Delegations

6. Status of 2019 recommendations

Internal controls are processes, policies and procedures that help agencies to:

• operate effectively and efficiently
• produce reliable financial reports
• comply with laws and regulations
• support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency business continuity and disaster recovery planning arrangements.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of procurement agency procurement policies and procurement activity.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency compliance with financial and human resources delegations.

Appendix one – List of 2020 recommendations 

Appendix two – Status of 2019 recommendations

Appendix three – Cluster agencies

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

This report outlines whether the Department of Customer Service (the department) has effective controls in place to ensure the integrity of data in the Births, Deaths and Marriages Register (the register), and to prevent unauthorised access and misuse.

The audit found that the department has processes in place to ensure that the information entered in the register is accurate and that any changes to it are validated. Although there are controls in place to prevent and detect unauthorised access to, and activity in the register, there were significant gaps in these controls. Addressing these gaps is necessary to ensure the integrity of information in the register.

The Auditor-General made nine recommendations to the department, aimed at strengthening controls to prevent and detect unauthorised access to, and activity in the register. These included increased monitoring of individuals who have access to the register and strengthening security controls around the databases that contain the information in the register.

The NSW Registry of Births Deaths and Marriages is responsible for maintaining registers of births, deaths and marriages in New South Wales as well as registering adoptions, changes of names, changes of sex and relationships. Maintaining the integrity of this information is important as it is used to confirm people’s identity and unauthorised access to it can lead to fraud or identity theft.

Read full report (PDF)

The NSW Registry of Births Deaths and Marriages (BD&M) is responsible for maintaining registers of births, deaths and marriages in New South Wales. BD&M is also responsible for registering adoptions, changes of name, changes of sex and relationships. These records are collectively referred to as 'the Register'. The Births, Deaths and Marriages Registration Act 1995 (the BD&M Act) makes the Registrar (the head of BD&M) responsible for maintaining the integrity of the Register and preventing fraud associated with the Register. Maintaining the integrity of the information held in the Register is important as it is used to confirm people's identity. Unauthorised access to, or misuse of the information in the Register can lead to fraud or identity theft. For these reasons it is important that there are sufficient controls in place to protect the information.

BD&M staff access, add to and amend the Register through the LifeLink application. While BD&M is part of the Department of Customer Service, the Department of Communities and Justice (DCJ) manages the databases that contain the Register and sit behind LifeLink and is responsible for the security of these databases.

This audit assessed whether BD&M has effective controls in place to ensure the integrity of data in the Births, Deaths and Marriages Register, and to prevent unauthorised access and misuse. It addressed the following:

• Are relevant process and IT controls in place and effective to ensure the integrity of data in the Register and the authenticity of records and documents?
• Are security controls in place and effective to prevent unauthorised access to, and modification of, data in the Register?

Appendix one – Response from agency

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #330 - released 7 April 2020.

This report covers the findings and recommendations from the 2018–19 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector. The 40 agencies selected for this report constitute around 84 per cent of total expenditure for all NSW public sector agencies.

The report provides insights into the effectiveness of controls and governance processes across the NSW public sector. It evaluates how agencies identify, mitigate and manage risks related to:

• financial controls
• information technology controls
• gifts and benefits
• internal audit
• contingent labour
• sensitive data.

The Auditor-General recommended that agencies do more to prioritise and address vulnerabilities in their internal controls and governance. The Auditor-General also recommended agencies increase the transparency of their management of gifts and benefits by publishing their registers on their websites.

This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2019.

1. Internal control trends

2. Information technology controls

3. Gifts and benefits

4. Internal audit

5. Managing contingent labour

6. Managing sensitive data

This report covers the findings and recommendations from our 2018–19 financial audits that relate to internal controls and governance at 40 of the largest agencies (refer to Appendix three) in the NSW public sector. The 40 agencies selected for this volume constitute around 84 per cent of total expenditure for all NSW public sector agencies.

Although the report includes several agencies that have changed as a result of the Machinery of Government changes that were effective from 1 July 2019, its focus on sector wide issues and insights means that its findings remain relevant to NSW public sector agencies, including newly formed agencies that have assumed the functions of abolished agencies.

This report offers insights into internal controls and governance in the NSW public sector

This is the third report dedicated to internal controls and governance at NSW State Government agencies. The report provides insights into the effectiveness of controls and governance processes in the NSW public sector by:

• highlighting the potential risks posed by weaknesses in controls and governance processes
• helping agencies benchmark the adequacy of their processes against their peers
• focusing on new and emerging risks, and the internal controls and governance processes that might address those risks.

Without strong governance systems and internal controls, agencies increase the risks associated with effectively managing their finances and delivering services to citizens. For example, if they do not have strong information technology controls, sensitive information may be at risk of unauthorised access and misuse.

Areas of specific focus of the report have changed since last year

Last year's report topics included transparency and performance reporting, management of purchasing cards and taxi use, and fraud and corruption control. We are reporting on new topics this year and re-visiting agency management of gifts and benefits, which we first covered in our 2017 report. Re-visiting topics from prior years provides a baseline to show the NSW public sectors’ progress implementing appropriate internal controls and governance processes to mitigate existing, new and emerging risks in the public sector.

Our audits do not review all aspects of internal controls and governance every year. We select a range of measures and report on those that present heightened risks for agencies to mitigate. This year the report focusses on:

• internal control trends
• information technology controls, including access to agency systems
• protecting sensitive information held within agencies
• managing large and diverse workforces (controls around employing and managing contingent workers)
• maintaining an ethical culture (management of gifts and benefits)
• effectiveness of internal audit function and its oversight by Audit and Risk Committees.

The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, internal controls and audit observations are included in the individual 2019 cluster financial audit reports, which will be tabled in parliament from November to December 2019.

Internal controls are processes, policies and procedures that help agencies to:

• operate effectively and efficiently
• produce reliable financial reports
• comply with laws and regulations
• support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage gifts and benefits. 

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency internal audit functions.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to on-board, manage and off-board contingent labour.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of governance and processes in relation to the management of sensitive data.

Appendix one – List of 2019 recommendations 

Appendix two – Status of 2018 recommendations

Appendix three – In-scope agencies

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Property NSW’s effectiveness in managing NSW Government owned and leased commercial office property is limited in three areas according to a report released today by the Auditor-General for New South Wales, Margaret Crawford.

At 30 June 2018, the NSW Government owned $160 billion worth of land and buildings. The NSW Treasury predicts this figure will rise over the coming years. Property NSW manages more than 900 leased office properties across the state. Approximately 250 of these are owned by Property NSW. Other NSW Government agencies maintain ownership and control of properties considered essential for service provision, such as schools, prisons and hospitals. Between 2012–13 and 2017–18 sales of property assets across the whole of the NSW Government have raised $10 billion, of which Property NSW has sold property assets of approximately $2 billion.

In September 2012, the Property Asset Utilisation Taskforce (the Taskforce) released its report on ‘real property asset management across government’ and concluded that the government has accumulated, over time, ‘a real property asset portfolio it cannot afford to maintain or protect’. The Taskforce noted that ‘a lack of centralised information seriously inhibits any whole-of-government strategic asset planning’ and that maintaining under-utilised or unnecessary properties diverted funds from areas where they might be better used. The Taskforce’s key findings included:

• the NSW Government should own property only as a means to deliver or enhance services
• many government properties were under-utilised, poorly maintained and inappropriate to support service delivery.

The Taskforce recommended the creation of Property NSW, as a replacement for the State Property Authority, to improve property asset utilisation and to drive efficiencies in the government’s owned and leased property portfolio. Property NSW was to achieve these goals by:

• collating property information across the whole-of-government
• working with agencies on longer-term strategic real property asset planning to:
  • provide services to agencies as customers
  • bring a whole-of-government perspective to real property asset planning.

In response to the Taskforce report, in December 2012, the Premier's Memorandum M2012-20 (the Memorandum) established Property NSW to improve the management of the NSW Government's owned and leased real property portfolio.

Under the Memorandum, Property NSW is responsible for:

• management of all leased and owned commercial office accommodation
• acting as the central acquisition and disposal agency 
• providing advice to the government on property matters and developing property policy 
• conducting regular and ongoing reviews of agencies portfolios, working with agencies to identify efficiencies to improve service delivery, in relation to the review of capital planning¹
• maintaining the register of all government owned property.

The Memorandum states that ownership of all commercial office property should be vested in Property NSW. 

This audit assessed whether Property NSW is effective in the management of NSW Government owned and leased commercial office property. To do this we assessed whether NSW Government leased commercial office space is being effectively utilised and whether the Government Property Register, a register of all government owned property, is accurate and up-to-date.

¹ Capital Planning was previously referred to as Total Asset Management (TAM).

Appendix one - Response from agency

Appendix two - Audit Office response

Appendix three - About the audit

Appendix four - Performance auditing

Parliamentary reference - Report number #312 - released 18 December 2018

The Auditor-General for New South Wales Margaret Crawford found that as NSW state government agencies’ digital footprint increases they need to do more to address new and emerging information technology (IT) risks. This is one of the key findings to emerge from the second stand-alone report on internal controls and governance of the 40 largest NSW state government agencies.

This report analyses the internal controls and governance of the 40 largest agencies in the NSW public sector for the year ended 30 June 2018.

This report covers the findings and recommendations from our 2017–18 financial audits that relate to internal controls and governance at the 40 largest agencies (refer to Appendix three) in the NSW public sector.

This report offers insights into internal controls and governance in the NSW public sector

This is our second report dedicated to internal controls and governance at NSW State Government agencies. The report provides insights into the effectiveness of controls and governance processes in the NSW public sector by:

• highlighting the potential risks posed by weaknesses in controls and governance processes
• helping agencies benchmark the adequacy of their processes against their peers
• focusing on new and emerging risks, and the internal controls and governance processes that might address those risks.

Without strong governance systems and internal controls, agencies increase the risks associated with effectively managing their finances and delivering services to citizens. The way agencies deliver services increasingly relies on contracts and partnerships with the private sector. Many of these arrangements deliver front line services, but others provide less visible back office support. For example, an agency may rely on an IT service provider to manage a key system used to provide services to the community. The contract and service level agreements are only truly effective where they are actively managed to reduce risks to continuous quality service delivery, such as interruptions caused by system outages, cyber security attacks and data security breaches.

Our audits do not review all aspects of internal controls and governance every year. We select a range of measures, and report on those that present heightened risks for agencies to mitigate. This report divides these into the following five areas:

1. Internal control trends
2. Information technology (IT), including IT vendor management
3. Transparency and performance reporting
4. Management of purchasing cards and taxis
5. Fraud and corruption control.

The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, controls and service delivery comments are included in the individual 2018 cluster financial audit reports, which will be tabled in Parliament from November to December 2018.

The focus of the report has changed since last year

Last year's report topics included asset management, ethics and conduct, and risk management. We are reporting on new topics this year. We plan to introduce new topics and re-visit our previous topics in subsequent reports on a cyclical basis. This will provide a baseline against which to measure the NSW public sectors’ progress in implementing appropriate internal controls and governance processes to mitigate existing, new and emerging risks in the public sector.

Agencies selected for the volume account for 95 per cent of the state's expenditure

While we have covered only 40 agencies in this report, those selected are a large enough group to identify common issues and insights. They represent about 95 per cent of total expenditure for all NSW public sector agencies.

Internal controls are processes, policies and procedures that help agencies to:

• operate effectively and efficiently
• produce reliable financial reports
• comply with laws and regulations
• support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of findings, level of risk and the most common deficiencies we found across agencies. The rest of this volume presents this year’s controls and governance findings in more detail.

Government agencies’ financial reporting is now heavily reliant on information technology (IT). IT is also increasingly important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our audits reviewed whether agencies have effective controls in place to manage both key financial systems and IT service contracts.

This chapter outlines our audit observations, conclusions and recommendations from our review of how agencies reported their performance in their 2016–17 annual reports. The Annual Reports (Statutory Bodies) Regulation 2015 and Annual Reports (Departments) Regulation 2015 (annual reports regulation) currently prescribes the minimum requirements for agency annual reports.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency preventative and detective controls over purchasing card and taxi use for 2017–18.

Fraud and corruption control is one of the 17 key elements of our governance lighthouse. Recent reports from ICAC into state agencies and local government councils highlight the need for effective fraud control and ethical frameworks. Effective frameworks can help protect an agency from events that risk serious reputational damage and financial loss.

Our 2016 Fraud Survey found the NSW Government agencies we surveyed reported 1,077 frauds over the three year period to 30 June 2015. For those frauds where an estimate of losses was made, the reported value exceeded $10.0 million. The report also highlighted that the full extent of fraud in the NSW public sector could be higher than reported because:

• unreported frauds in organisations can be almost three times the number of reported frauds
• our 2015 survey did not include all NSW public sector agencies, nor did it include any NSW universities or local councils
• fraud committed by citizens such as fare evasion and fraudulent state tax self-assessments was not within the scope of our 2015 survey
• agencies did not estimate a value for 599 of the 1,077 (56 per cent) reported frauds.

Commissioning and outsourcing of services to the private sector and the advancement of digital technology are changing the fraud and corruption risks agencies face. Fraud risk assessments should be updated regularly and in particular where there are changes in agency business models. NSW Treasury Circular TC18-02 NSW Fraud and Corruption Control Policy now requires agencies develop, implement and maintain a fraud and corruption control framework, effective from 1 July 2018. 

Our Fraud Control Improvement Kit provides guidance and practical advice to help organisations implement an effective fraud control framework. The kit is divided into ten attributes. Three key attributes have been assessed below; prevention, detection and notification systems.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency fraud and corruption controls for 2017–18.

Appendix one - List of 2018 recommendations

Appendix two - Status of 2017 recommendations

Appendix three - Cluster agencies

A report released today by the Auditor-General for New South Wales, Margaret Crawford, found there is no whole-of-government capability to detect and respond effectively to cyber security incidents. There is very limited sharing of information on incidents amongst agencies, and some agencies have poor detection and response practices and procedures.

The NSW Government relies on digital technology to deliver services, organise and store information, manage business processes, and control critical infrastructure. The increasing global interconnectivity between computer networks has dramatically increased the risk of cyber security incidents. Such incidents can harm government service delivery and may include the theft of information, denial of access to critical technology, or even the hijacking of systems for profit or malicious intent.

This audit examined cyber security incident detection and response in the NSW public sector. It focused on the role of the Department of Finance, Services and Innovation (DFSI), which oversees the Information Security Community of Practice, the Information Security Event Reporting Protocol, and the Digital Information Security Policy (the Policy).

The audit also examined ten case study agencies to develop a perspective on how they detect and respond to incidents. We chose agencies that are collectively responsible for personal data, critical infrastructure, financial information and intellectual property.

Appendix one - Response from agency

Appendix two - ISMS maturity model

Appendix three - About the audit

Appendix four - Performance auditing

Parliamentary reference - Report number #297 - released 2 March 2018