Report highlights: Compliance with the NSW Cyber Security Policy

What the report is about

This audit assessed nine agencies’ compliance with the NSW Cyber Security Policy (CSP) including whether, during the year to 30 June 2020, the participating agencies:

  • met their reporting obligations under the CSP
  • reported accurate self-assessments of their level of maturity implementing the CSP’s requirements including the Australian Cyber Security Centre’s (ACSC) Essential 8.

What we found

Key elements to strengthen cyber security governance, controls and culture are not sufficiently robust and not consistently applied. The CSP is not achieving the objectives of improved cyber governance, controls and culture because:

  • the CSP does not specify a minimum level for agencies to achieve in implementing the 'mandatory requirements' or the Essential 8
  • the CSP does not require agencies to report their target levels, nor does it require risk acceptance decisions to be documented or formally endorsed
  • each participating agency had implemented one or more of the mandatory requirements in an ad hoc or inconsistent basis
  • none of the participating agencies had implemented all of the Essential 8 controls
  • agencies tended to over-assess their cyber security maturity - all nine participating agencies were unable to support all of their self-assessments with evidence
  • there is no monitoring of the adequacy or accuracy of agencies' self-assessments.

What we recommended

In this report, we repeat recommendations made in the 2019 and 2020 Central Agencies reports, that Cyber Security NSW and NSW Government agencies need to prioritise improvements to cyber security resilience as a matter of urgency.

Cyber Security NSW should:

  • monitor and report compliance with the CSP
  • require agencies to report the target and achieved levels of maturity
  • require agencies to justify why it is appropriate to target a low level of maturity
  • require the agency head to formally accept the residual risk
  • challenge agencies' target maturity levels.

Agencies should resolve discrepancies between their reported level of maturity and the level they are able to support with evidence.

Separately, the agencies we audited requested that we not disclose our audit findings. We reluctantly agreed to anonymise our findings, even though they are more than 12 months old. We are of the view that transparency and accountability to the Parliament of New South Wales are part of the solution, not the problem.

The poor levels of agency cyber security maturity are a significant concern. Improvement requires leadership and resourcing.

Fast facts

The NSW Cyber Security Policy requires agencies to report their level of maturity implementing the mandatory requirements, which includes the ACSC's Essential 8.

  • 100% of audited agencies failed to reach level one maturity for at least three of the Essential 8 controls.

  • 53% of mandatory requirements implemented in an ad hoc or inconsistent manner, or not at all.

  • 89 of the 104 reporting agencies across government met the reporting deadline of 31 August.

Further information

Please contact Ian Goodwin, Deputy Auditor-General on 9275 7347 or by email.