The NSW public sector is a case study in the importance of compliance to a security regime.
Its history shows that if line agencies aren’t paying any attention to the whole-of-government policy, all it will become is a missed threshold to earn you the auditor’s slap on the wrist.
That is precisely what NSW Auditor-General Peter Achterstraat did in 2010, when he unleashed a scathing report suggesting as many as two-thirds of NSW state organisations weren’t meeting the standards demanded of the government’s ministerial memorandum on IT security.
At the time, security was the responsibility of the now defunct Government CIO office, which was at least nominally expected to survey agencies on their infosec practices each year.
No one has taken a really deep dive into the condition of NSW’s cyber defences since the 2010 review - but the government this year issued a new mandatory directive indicating it wanted to grow some infosec teeth.
And the policy has some teeth, at least on paper. It mandates that agencies need not only comply with a list of security controls based on ISO 27001, but that those deemed highest risk must maintain independent third party certification of that compliance - and prove it.
Beginning with the 2015-16 round of annual reports, all agency chiefs will have to sign a public attestation of their infosec compliance or explain otherwise. Shared services providers had to deliver their certified attestations by 31 July this year and the Department of Finance advised iTnews all had complied.
It will likely take a year or two to see whether the ‘shine a light’ approach will scare the state’s agencies into lifting their game when it comes to data security, and will certainly mean nasty headlines if they don’t.