Report highlights: Cyber Security NSW: governance, roles, and responsibilities

What the report is about

Cyber Security NSW is part of the Department of Customer Service, and aims to provide the NSW Government with an integrated approach to preventing and responding to cyber security threats.

This audit assessed the effectiveness of Cyber Security NSW's arrangements in contributing to the NSW Government's commitments under the NSW Cyber Security Strategy, in particular, increasing the NSW Government's cyber resiliency. The audit asked:

  • Are internal planning and governance processes in place to support Cyber Security NSW meet its objectives? 
  • Are Cyber Security NSW's roles and responsibilities defined and understood across the public sector?

What we found

Cyber Security NSW has a clear purpose that is in line with wider government policy and objectives. However, it does not clearly and consistently communicate its key objectives, with too few reliable and meaningful ways of measuring progress toward those objectives.

Cyber Security NSW does not provide adequate assurance of the cyber security maturity self assessments performed by NSW Government agencies. Department heads are accountable for ensuring their agency's compliance with NSW government policy.

Cyber Security NSW has a remit to assist local government to improve cyber resilience. However, it cannot mandate action and does not have a strategic approach guiding its efforts.

What we recommended

By 30 June 2023 the Department of Customer Service should:

  1. implement an approach that provides reasonable assurance that NSW government agencies are assessing and reporting their compliance with the NSW Government Cyber Security Policy in a manner that is consistent and accurate
  2. ensure that Cyber Security NSW has a strategic plan that clearly demonstrates how the functions and services provided by Cyber Security NSW contribute to meeting its purpose and achieving NSW government outcomes
  3. ensure that Cyber Security NSW has a detailed, complete and accessible catalogue of services available to agencies and councils
  4. develop a comprehensive engagement strategy and plan for the local government sector, including councils, government bodies, and other relevant stakeholders. 

Fast facts

  • 2019 Cyber Security NSW established, succeeding the Office of the Government Chief Information Security Officer, itself established in 2017
  • $5m initial yearly funding for Cyber Security NSW, as levied from NSW government agencies
  • $60m enhanced funding for Cyber Security NSW under the Digital Restart Fund over three years from FY2020–21
  • $180m enhanced cyber security funding to other NSW government agencies over three years from FY2020–21
  • 67,500 number of cyber security incidents reported nationally to the Australian Cyber Security Centre in 2020–21

Further information

Please contact Ian Goodwin, Deputy Auditor-General on 9275 7347 or by email.