The NSW Department of Finance and Services has confirmed 17 state government agencies failed to report on progress against the government’s new digital information security policy by the 31 July cut-off.
The state’s new security plan was released in November last year, and set out in clear terms that all NSW departments, statutory bodies and shared service providers would be expected to update the DFS on their progress against 13 points of compliance with the policy by the middle of the year.
At the last meeting of the NSW ICT Board, held in late September, members sighted submissions from 128 of 145 reporting agencies.
A spokesperson for the DFS didn’t identify the 17 lagging organisations but confirmed that all shared services agencies and cluster agencies had complied. She said the department was working with the late agencies “to help them meet implementation and reporting timeframes”.
The board was satisfied with the work being done by the 128 agencies that did make the cut-off.
“Initial data on progress to date, and information provided by members of the Digital Information Security Community of Practice, is encouraging and suggests that implementation is progressing well,” the spokesperson said.
Getting the whole public sector on board with information controls and digital disaster recovery has been an ongoing plight for the central agencies of the NSW Government.
In consecutive reports in 2011 and 2012 then Auditor-General Peter Achterstraat found that the number of agencies with no documented disaster recovery provisions had increased from 14 to 17.
In 2010 he found that monitoring of the government’s old security scheme was lacking.
“The government cannot say with any certainty whether agencies have implemented its policy. As a result, the government does now know how well agencies are securing sensitive personal information.”
One of the problems identified with the old policy was a blanket security requirement that far exceeded the standards that many low-risk bodies realistically needed to meet.
In response, the new policy outlined a reduced set of requirements that all agencies must meet, with a higher level reserved for shared services agencies and those with a higher risk profile.
All departments, agencies and statutory bodies are expected to have fully implemented the outcomes of the new policy, including the appointment of an accountable security officer, by 31 December this year.