Examination of New South Wales' Cybersecurity Policy Conducted by Audit Office
In a recent development, the Audit Office of New South Wales has published a comprehensive report analysing the compliance of the NSW Cyber Security Policy by State agencies in 2024. The report, which contains findings from performance audits, compliance audits, and financial audits, serves as a valuable resource for the public sector, providing insights into the challenges and opportunities for strengthening cyber resilience.
One of the key findings of the report is the need for agencies to focus on the cyber resilience gaps, particularly in implementing 'protect' domain controls. The report also highlights failures to meet basic protection standards in the NSW public sector, underscoring the importance of aligning culture with the cyber security environment to ensure controls are fit for purpose.
Addressing unclear roles in cyber security governance is another area of concern. The report emphasises the need for clearer definitions and responsibilities to ensure effective cyber security measures are in place.
The increased reliance on information technology in modern government and global interconnectivity between computer networks have increased the risk of cybersecurity incidents. These incidents can harm government service delivery and result in theft of information, breaches of private information, denial of access to critical technology, or system hijacking for profit or malicious intent. They can also have adverse impacts on the community and harm trust in government.
The report also underscores the risk that aggregate reporting reduces visibility into agency compliance levels and cyber risks. To mitigate this, the report recommends performing phishing simulations more regularly in the NSW public sector.
Another significant concern raised in the report is the limited oversight of third-party providers. The report calls for managing third-party cyber security risk in the NSW public sector to ensure the safety and security of all information assets, which must be adequately identified in the sector.
The report also highlights a lack of independent assurance over agency reporting against the Cyber Security Policy. To address this, the report suggests the need for more robust independent cybersecurity compliance reviews, typically conducted under the oversight of governmental cybersecurity authorities and institutions such as the Australian Cyber Security Centre (ACSC) and relevant state government cybersecurity divisions.
In conclusion, the report provides a clear picture of the current state of cybersecurity in the NSW public sector and offers valuable insights into the steps that need to be taken to strengthen its cyber resilience. By addressing the issues highlighted in the report, the NSW public sector can ensure the safety and security of its information assets, maintain the trust of the community, and continue to deliver essential services effectively.
