The
NSW
state
government
gave
Cyber
Security
NSW
responsibility
in
2020
to
improve
cyber
security
in
the
local
government
sector,
but
didn’t
give
it
the
power
to
mandate
councils’
security.
The
NSW
auditor
general
noted
the
discrepancy
in
its
report
[pdf]
into
Cyber
Security
NSW
yesterday.
“Under
its
2020
enhanced
funding,
Cyber
Security
NSW
was
given
a
range
of
general
responsibilities
for
extending
support
to,
and
raising
capability
of,
cyber
security
in
the
local
government
sector,”
the
auditor
wrote.
That
was
to
include
proactive
monitoring
and
intelligence,
along
with
training
and
awareness.
While
the
whole-of-government
security
agency
has
engaged
with
the
local
government
sector,
it
has
achieved
mixed
results.
The
report
noted
the
lack
of
a
“formal
mandate”
for
the
sector,
but
also
criticised
Cyber
Security
NSW
for
the
lack
of
“an
engagement
plan
or
strategy
to
guide
its
engagement
with
the
local
government
sector.”
“it
is
unclear
whether
the
services
available
to
councils
are
well
targeted
to
raise
their
cyber
security
resilience,
or
whether
councils
have
detailed
awareness
of
existing
services,” The
report
added.
The
agency
has
adopted
an
opt-in
approach
to
engaging
with
councils,
the
auditor-general
said.
Further,
its
work
developing
non-binding
guidelines,
developed
in
collaboration
with
the
Office
of
Local
Government,
was
delayed,
with
the
guidelines
only
being
released
on
December
19
last
year.
Among
recommendations
to
improve
its
work
with
councils,
the
auditor-general
said
the
security
agency
should
compile
“a
detailed,
complete,
and
accessible
catalogue
of
services
available
to
agencies
and
councils”,
as
well
as
develop
an
engagement
strategy
for
the
local
government
sector.
The
auditor-general
has
also
criticised
Cyber
Security
NSW
for
not
auditing
state
government
agencies’
self-assessments
of
their
security
maturity.
About Author
