#449 – NSW Cyber Security Audit – James Kline Ph.D.

This is the first of two articles dealing with Cyber-Security and government. This article discusses the results of the New South Wales (NSW) Auditor-Generals Report on Cyber-Security in Local Government. The second will deal with the U.S. National Institute of Standards and Technology’s (NIST) Cyber-security Framework 2.0.

The NSW audit highlights the problems governments, particularly local governments, are having with cyber-security implementation. The NIST Cyber-Security Framework provides a process for beefing up cyber-security. Thus, this article shows the problems. The second discusses a process for mitigating the problems.

Audit Background

The threat of a cyber-attack is understood. A report by the Australian Signals Directorate (ASD) in a 2022-2023 ASD Cyber Threat Report, found that there were over 1,100 cyber security incidents and nearly 94,000 reports were made to law enforcement. Vital systems and Australian networks of both the public and private sector were targets of opportunity and deliberate malicious acts.

“Australian critical infrastructure was targeted via increasingly interconnected systems. Operational technology connected to the internet and into corporate networks has provided opportunities for malicious cyber actors to attack these systems. In 2022-23, ASD responded to 143 cyber security incidents related to critical infrastructure.” (1)

Audit Coverage

Recognizing the increasing number of cyber-attacks in Australia, and that local government services include critical infrastructure, the NSW Auditor-General Office conducted an audit of three local government to determine their level of cyber-security. The councils were: City of Parramatta Council, Shingleton Council and Warrumbungle Shire Council. (2)

To determine the level of cyber-security, the audit examined whether the councils:

  1. Effectively identify and plan for cyber security risks.
  2. Have controls in place to effectively manage identified cyber security risks.
  3. Have processes in place to detect, respond to and recover from cyber security incidents.

The audit also included the Department of Customer Service, which supports local councils with cyber security, and the Office of Local Government (OLG) within the Department of Planning and Environment, which provides local governments with guidance and support, with respect to sustainability, performance, integrity, transparency, and accountability.

Findings

There were two general takeaways from the audit.

  1. The three councils are not effectively identifying and managing cyber security risks. Consequently, their information systems and the infrastructure they provide are at risk.
  2. None of the councils have up to date processes to support effective detection, response, and recovery from cyber security incidents.

With respect to specific findings, a few are listed below.

  • None of the councils are effectively using risk management processes to identify and manage cyber security risks.
  • None of the councils have assessed the business value of their information and systems to inform cyber security risk identification and management, nor have they assigned cyber security responsibilities for all core systems.
  • None of the councils have a clear and consistent approach to monitoring the effectiveness of controls to mitigate identified cyber security risks.
  • None of the councils have a cyber incident response plan to ensure an effective response to and prompt recovery from cyber incidents, and their business continuity and disaster recovery planning documentation is not up to date.
  • None of the councils maintain a register of cyber incidents to record information about the sources and types of incidents experienced and relevant responses, to support post-incident evaluation.

Based on the audit findings, recommendations were made.

Recommendations

Below are the key recommendations.

Council Actions

  1. Integrate the assessment and monitoring of cyber security into corporate governance processes by:
    1. Implementing clear governance arrangements for cyber security, including a mechanism for regular reporting to management.
    2. Ensuring the Council’s Enterprise Risk Management (ERM) framework is being applied to cyber security, including through maintaining risk registers.
  2. Complete a self-assessment against the foundational requirements in the Cyber Security Guidelines – Local Government and:
    1. Ensure that the outcomes of the self-assessment are reflected in other relevant documentation including the risk registers and insurance documentation.
    2. Report results to management.
  3. Implement a plan and structured program of activities to improve Council’s cyber security that considers and addresses current cyber security maturity, a comprehensive assessment of cyber security risks and gaps.

At a minimum, the plan and program of activities should:

    1. Define the Council’s cyber security objectives.
    2. Set out roles and responsibilities for oversight and implementation.
    3. Establish implementation timeframes, and processes for regular review and reporting on how cyber security activities and controls are supporting risk management.
    4. Establish a plan to re-assess the Council’s cyber security maturity in the future.
    5. Establish a regular schedule of testing of the cyber security of systems and the network.

 

4. Ensure that a plan and program of activities are underpinned by:

A. catalogue of all information and systems held by the Council.
B. As assessment of cyber security risks informed by the business value of the information and systems, including for systems used to support important infrastructure services.
C. Consideration of required resources and capabilities.
D. A structured program of regular training and awareness activities.
E. Policies and procedures that support staff and third-party providers to understand their roles and responsibilities for cyber security.
F. Clearly defined roles and responsibilities and documented risk assessment for third party arrangements.

5. Develop, implement, and test a cyber incident response plan.

In addition to making specific recommendations to these local governments, the audit recommended that the Office of Local Government and the Department of Customer Service implement specific actions. The audit report includes due dates for these actions.

The Office of Local Government should take two actions.

By June 2024 the Office of Local Government should:

  1. Implement and maintain a schedule of regular consultation between the agencies to share information on cyber security risks facing the local government sector and identify opportunities for collaboration to:

A. Highlight the importance of cyber security risk management, including through sharing case studies that demonstrate good practice within local councils.

B. Promote guidance and support available from the NSW Government and other sources that may assist councils to improve their cyber security risk management.

By September 2024, the Office of Local Government should:

  1. Update the draft procurement guidelines for local councils to include relevant guidance on identifying and managing cyber security risks in procurement processes and third-party arrangements.

By September 2024 the Department of Customer Services (Cyber Security NSW) should:

  1. Implement an annual review of the Cyber Security Guidelines – Local Government and related resources. The review should include:
    1. Updates made to the NSW Cyber Security Policy.
    2. The usefulness, relevance and effectiveness of the Guidelines and related resources based on Local Councils’ feedback.

Conclusion

The audit, even though it is only of three local governments, points out the problems local governments have with respect to cyber security. These problems are applicable to most local governments around the world.

Since NSW, with this audit, and the Commonwealth of Australia more generally, are in the fore front in identifying the cyber-security problems faced by local governments, attention should be paid to actions proposed to mitigate cyber-security and enterprise-wide risks.

For instance, the Commonwealth requires that organizations, both public and private, which have aspects of critical infrastructure under their control, develop a Critical Infrastructure Risk Management Plan (CIRMP). The Commonwealth has identified five critical infrastructure categories. Cyber security is one of the five categories. Further, following the U.S. NIST Cyber Security Framework is considered an acceptable CRIMP. The NIST Cyber Security Framework is specifically designed to be plugged into the organization’s ERM process.

In CERM Risk Insights # 432, where I review the Commonwealth’s CIRMP, it is noted:

 The requirements of risk identification and mitigation, along with the five

risk categories that must be covered, effectively mandate that critical

infrastructure organizations adopt Enterprise Risk Management. (3)

With respect to ERM, the Commonwealth has required its departments to implement ERM. NSW has gone further, it not only has adopted ERM for its operations, but has mandated that all local governments adopt ERM. The reference, in the audit, that cyber security risks be included in the organization’s risk register and the corporate governance process reinforces this mandate. It is also consistent with the Commonwealth’s CIRMP for cyber-security.

An important aspect of the audit is the recognition that many local governments do not have the financial resources or technical capabilities to adequately manage cyber security risks. Thus, the requirements that the Office of Local Government and Department of Customer Services (Cyber Security NSW) provide timely assistance and threat updates.

To sum up, local governments around the world should take note of the results of this audit. Further, federal and state governments need to recognize that local governments provide critical infrastructure which is vulnerable to cyber-attacks. Since many local governments do not have the financial resources or talent to adequately defend against cyber-attacks, federal and state assistance is necessary.

Endnotes

  1. Australian Signals Directorate, 2023, ASD Cyber Threat Report, 2022-2023. https://www.cyber.gov/sites/default/files/2023-11/asd-cyber-thrate-report-2023.pdf page 11.
  2. Audit Office of New South Wales, 2024, Cyber security in local government, New South Wales Auditor-General Report, https://www.audit.nsw.gov.au/sites/default/files/documents/Final%20report%20-%Cyber%Ssecurity%20in%20local%20government-0.pdf
  3. Kline, James, 2023, Australian Critical Infrastructure Risk Management, CERM Insights, October 8, 23.

 

James J. Kline, Ph.D., CERM. He has worked in federal, state, and local government. He has authored numerous articles on quality in government and risk management. His two books Enterprise Risk Management in Government: Implementing ISO 31000:2018 and Risk Based Thinking for Government are available on Amazon. Also available on Amazon is Quality Disrupted, which he edited. He can be reached at jamesjk1236@outlook.com.

Leave a Reply

Your email address will not be published. Required fields are marked *