NSW government agencies have made “insufficient progress to improve cyber security safeguards” since the introduction of the government’s cyber security policy, a damning audit has found.
The report, released on Thursday, uncovered sustained “non-compliance and significant weaknesses” with the policy, first introduced in 2019, during the 2019-20 reporting period.
As has become routine, it also reiterated that agencies are continuing to struggle to implement the Essential Eight cyber security controls.
“The poor levels of cyber security maturity are a significant concern,” the audit into compliance with the policy [pdf] said, adding that improvement requires “dedicated leadership and resourcing”.
The NSW Audit Office has been calling for the government to urgently prioritise improvements to cyber security and resilience for each of the last three years.
The government has responded with a $240 million investment in cyber security in last year’s budget, which agencies are now using to fund various uplift programs.
The audit found the policy had done little to achieve the “objective of improved cyber governance, controls and culture” since it was introduced to replace the digital information security policy.
It was specifically looking at the nine lead clusters of Premier and Cabinet, Communities and Justice, Customer Service, Education, Planning, Regional NSW, Health, Treasury and Transport.
“Key elements to strengthen cyber security governance, controls and culture are not sufficiently robust and not consistently applied,” the report concluded.
“There has been insufficient progress to improve cyber security safeguards across NSW government agencies.”
The audit put this down to a number of factors, including that the policy does not “set a minimum maturity threshold for agencies to meet”.
Instead, agencies can “decide not to implement requirements of the CSP, or they can decide the implement them only in an informal or ad-hoc manner”,
There is also no requirement to “demonstrate reasons for not implementing requirements” or have heads formally acknowledge the residual risk, as is the case in other similar jurisdictions.
The audit noted that a previous iteration of the policy’s reporting template had “stated that level three maturity… was required for compliance with the CSP, but that this was removed in 2020.
Customer Service told the auditor, however, that the requirement was incorrectly included in 2019, and that there was never a requirement to meet a minimum level of maturity.
The audit said that by not having a minimum baseline agencies are “able to target lower levels”, and therefore choose not to practice a CSP policy requirement or to practice it on an ad-hoc basis.
Essential Eight still a struggle
Under the CSP, agencies are required to self-assess their maturity against the Essential Eight cyber security controls.
Of the nine lead agencies assessed, eight were found not to have implemented any of the Essential Eight controls to level three, which is considered the baseline by the Australia Cyber Security Centre.
All nine agencies also “failed to reach even level one maturity for at least three of the Essential Eight”, as at the end of June 2020, the report said.
But it is impossible to discern the worst offenders as the auditor has “reluctantly agreed to anonymise agencies and their specific failings” because the vulnerabilities… have not yet been remedied”.
More generally, the audit found only five of the 104 agencies had self-assessed their maturity at level three or above on the CSP’s five point maturity scale, as at the end of June 2020,
“This means that, according to their own self-assessments, 99 agencies practiced requirements with the framework in what the CSP’s maturity model describes as an ad hoc manner, or they did not practice the requirement at all,” the report said.
The audit also that seven of the nine agencies audited were reporting levels of maturity against the mandatory requirements in the CSP and Essential Eight that were “not supported by evidence”.
“Each of the nine participating agencies for this audit had overstated their level of maturity against at least one of the 20 mandatory requirements,” the report said.
“Seven agencies were not able to provide evidence to support their self-assessed ratings for the Essential 8 controls.”
The audit also observed that seven of the nine agencies had also “not modified the proforma wording in their attestation to reflect their actual situation”.
Cyber Security NSW has been told to improve its monitoring of compliance with the CSP, and require agencies to report target levels of maturity for each mandatory requirement.
A new governance, risk and compliance function was recently created for this purpose, as revealed by the government in its response to the recent parliamentary inquiry into cyber security.
The audit has asked agencies to “resolve discrepancies between their reported level of maturity and the level they are able to demonstrate with evidence”.