'

NSW government agencies barely pass Auditor-General's security probe

Out of 10 state government agencies, only two were found by the Auditor-General as having 'good' detection and response processes.

The New South Wales Auditor-General has asked the Department of Finance, Services and Innovation (DFSI) to create a whole-of-government capability that encourages the sharing of cybersecurity and threat information, recommending also the development of a digital means to report such incidents.

The recommendations were made in a probe the Auditor-General conducted on 10 state government agencies that examined cybersecurity incident detection and response in the NSW public sector.

In Detecting and responding to cybersecurity incidents: Performance Audit [PDF], it was revealed that out of the 10 agencies investigated, two have good detection and response processes, four have a medium capability to detect and respond to incidents in a timely manner, and the remaining four have a low capability.

According to the report, most of the 10 agencies investigated use an automated tool for detecting and alerting IT administrators when there is a suspected incident. The tool's coverage ranged from all IT systems in some agencies to just a few in others, and some agencies do not use such a tool and only monitor logs periodically or on an ad-hoc basis, the report said.

While it was found most agencies have incident response procedures, some lack guidance on who to notify and when, while some do not have response procedures at all. Eight agencies had not tested their procedures, Auditor-General Margaret Crawford wrote.

Only a few agencies have regular meetings with service providers and receive reports on security-related information, with seven agencies claiming they routinely receive security performance reports from their IT service provider -- however, the report says only five were able to provide any evidence to support this.

It was reported that agencies could not produce evidence of the cybersecurity training that had been provided to staff, with only one agency able to provide training records to the Auditor-General to support such claims.

Meanwhile, three agencies were found to rely almost entirely on other larger agencies for incident detection, but have no formal agreements in place, while two agencies were found to have not reported cybersecurity-related incidents to DFSI, despite the practice being mandatory.

"Three other agencies that are required to report advised they had no incidents but would not report even if they did," the report says. "None of the agencies' procedures included a requirement to report incidents to DFSI."

Of concern to the Auditor-General was that there is no whole-of-government capability to detect and respond effectively to cybersecurity incidents, nor is there enough sharing of information on incidents amongst agencies.

"There is a risk that incidents will go undetected longer than they should, and opportunities to contain and restrict the damage may be lost," the report says. "Given current weaknesses, the NSW public sector's ability to detect and respond to incidents needs to improve significantly and quickly."

In addition to the creation of a central repository overseen by DFSI, the Auditor-General wants the department to assist agencies to improve their detection and response; improve their training and awareness programs; develop a means to share threat information with Australian government security agencies, other states, and the private sector; and provide assurance that agencies have appropriate incident reporting procedures.

The NSW government announced the appointment of its first government chief information security officer (GCISO) in March 2017, hiring Dr Maria Milosavljevic from Austrac to fill the position.

At the time, it was said Milosavljevic would work with industry, all levels of government, and international governments on a "collaborative" approach to cybersecurity.

As GCISO, she is also charged with developing a set of standards with NSW government agencies to streamline the cybersecurity approach across government.

More from the NSW government