Cyber Security NSW takes maturity assessments at face value
- Published
Cyber Security NSW, the state’s whole-of-government cyber security office, is yet to audit a single agency’s self-assessed security maturity.
Every year, NSW agencies have to self-assess and report their maturity “against all mandatory requirements” in the NSW cyber security policy and against the Australian Cyber Security Centre’s Essential Eight. [pdf]
Reports are then sent to Cyber Security NSW, which was meant to have been auditing the cyber security self-assessments of clusters and agencies “commencing in 2020-21”, according to a published circular.
But the NSW auditor-general said today [pdf] that no agency self-assessments had been audited by Cyber Security NSW to date.
“These self-assessments provide the only measure of cyber security maturity of the NSW government,” the auditor-general said.
“Cyber Security NSW has not performed audits of the artifacts that support agency self-assessments.
“By not conducting targeted audits, Cyber Security NSW is not providing a level of assurance, implicitly expected by the NSW government in making the [cyber security] policy, that agencies’ self-assessments are consistent and sound.”
The auditor-general said it didn’t expect Cyber Security NSW to check up on every self-assessment it received.
But the auditor-general said “a risk-based approach may have both an educative benefit for agencies, as well as ensuring that agencies are diligent and considered in their assessments.”
“As one senior agency stakeholder suggested, agencies are more likely to comply with the policy if ‘…someone might be looking over their shoulder’,” the auditor-general said.
“Another stakeholder expressed concern about the capacity of agencies to conduct their self-assessments uniformly, arguing that this left open the need for 'basic assurance and spot checking’ by Cyber Security NSW.”
The auditor-general previously found that agencies tend “to over-assess their cyber security maturity” and that some were unable “to support all their self-assessments with evidence.”
An external audit, commissioned by Cyber Security NSW, is also said to have “found divergent approaches in how agencies perform their maturity self-assessments”, though did not lead to the assurance work being completed.
“Cyber Security NSW has a remit to carry out audits of agencies’ self-assessments, but it has not carried out these audits and does not seek its own assurance of the results of these self-assessments,” the auditor-general said.
“It is not sufficiently addressing previously identified inconsistencies and inaccuracies in how those self-assessments are performed and reported.”