A NSW parliamentary inquiry has urged the government to review its cyber security policy in the wake of the high-profile Service NSW data breach last year to give agencies clarity around mandatory standards.
It has also asked that the whole-of-government cyber security office, Cyber Security NSW, move from the Department of Customer Service to the Department of Premier and Cabinet to give it greater clout.
Handing down its long-awaited report [pdf] into cyber security and digital information management on Friday afternoon, the premier and finance committee said it “holds concerns about the adequacy of cyber security across agencies”.
It pointed to “multiple findings and repeated recommendations from the auditor-general”, despite noting recent developments to strengthen cyber security, including through a $240 million investment.
In December, the auditor told the government to improve its cyber security for the third straight year after finding that the vast majority of agencies had low levels of maturity with the Essential Eight controls.
Agencies are required to implement and assess maturity against the Essential Eight under the government’s cyber security policy, which was introduced in February 2019 and last updated in February 2020.
“The committee considers it an urgent matter to bring agencies to a more acceptable position, where there is not several months or years taken to implement recommended improvements,” it said.
“This is particularly critical given the evidence before the inquiry regarding the changing threat environment and constant emergence of new technologies.”
The committee said the “role of the Cyber Security NSW could be enhanced to provide oversight and more direct input on agencies’ cyber security risks assessments and mitigation strategies”.
It recommended that the government review the office’s functions and move it from the Department of Customer Service to the Department of Premier and Cabinet to provide it with “more independence from service delivery agencies and increased visibility and author”.
“The committee recognises that each agency needs to be responsible for its own cyber security, however, there is an opportunity for Cyber Security NSW to have a clearer mandate to ensure agencies are meeting a certain standard,” the committee said.
Cyber security policy “clarity” needed
Alongside giving Cyber Security NSW more clout, the committee has urged the government to review its cyber security policy, which requires agencies to implement and assess maturity against the Essential Eight.
Despite improvements and the adoption of mandatory requirements since it was introduced in February 2019, the committee said that “clarity is required to set a benchmark that all agencies, and their contracted service providers, must meet and not simply report against”.
“The committee is concerned that despite the multiple adverse findings by the Auditor-General and warnings from others about the cyber security risks, agencies are slow to adopt the recommendations and strengthen their cyber security measures,” it said.
“The committee considers that part of this problem is that there is no oversight or compliance mechanism in place to require agencies to achieve certain levels of maturity.”
The committee also believes that there is “merit in developing baseline security standards for internet of things devices” and recommended the government work with industry to determine the most appropriate model.
Mandatory date breach reporting
The committee also used the report to recommend the government “urgently establish a mandatory data breach notification scheme” for NSW agencies and better resource the Information and Privacy Commission.
The government has been consulting on such a scheme – which was first recommended by former privacy commissioner Elizabeth Coombs in 2015 – since mid-2019, but it is now not expected to be introduced under next year, as reported by iTnews earlier this month.
The committee also wants the responsibility and resourcing of the Privacy Commissioner reviewed “so that the office can be more proactive in ensuring government services and systems are designed and delivered with stringent privacy protections”.
More to come