Cyber Security NSW takes maturity assessments at face value

Cyber
Security
NSW,
the
state’s
whole-of-government
cyber
security
office,
is
yet
to
audit
a
single
agency’s
self-assessed
security
maturity.

Every
year,
NSW
agencies
have
to
self-assess
and
report
their
maturity
“against
all
mandatory
requirements”
in
the
NSW
cyber
security
policy
and
against
the
Australian
Cyber
Security
Centre’s
Essential
Eight.
[pdf]

Reports
are
then
sent
to
Cyber
Security
NSW,
which
was
meant
to
have
been
auditing
the
cyber
security
self-assessments
of
clusters
and
agencies
“commencing
in
2020-21”,
according
to
a

published
circular.

But
the
NSW
auditor-general
said
today
[pdf]
that
no
agency
self-assessments
had
been
audited
by
Cyber
Security
NSW
to
date.

“These
self-assessments
provide
the
only
measure
of
cyber
security
maturity
of
the
NSW
government,”
the
auditor-general
said.

“Cyber
Security
NSW
has
not
performed
audits
of
the
artifacts
that
support
agency
self-assessments.

“By
not
conducting
targeted
audits,
Cyber
Security
NSW
is
not
providing
a
level
of
assurance,
implicitly
expected
by
the
NSW
government
in
making
the
[cyber
security]
policy,
that
agencies’
self-assessments
are
consistent
and
sound.”

The
auditor-general
said
it
didn’t
expect
Cyber
Security
NSW
to
check
up
on
every
self-assessment
it
received.

But
the
auditor-general
said
“a
risk-based
approach
may
have
both
an
educative
benefit
for
agencies,
as
well
as
ensuring
that
agencies
are
diligent
and
considered
in
their
assessments.” 

“As
one
senior
agency
stakeholder
suggested,
agencies
are
more
likely
to
comply
with
the
policy
if
‘…someone
might
be
looking
over
their
shoulder’,”
the
auditor-general
said.

“Another
stakeholder
expressed
concern
about
the
capacity
of
agencies
to
conduct
their
self-assessments
uniformly,
arguing
that
this
left
open
the
need
for
‘basic
assurance
and
spot
checking’
by
Cyber
Security
NSW.”

The
auditor-general
previously
found
that
agencies
tend

“to
over-assess
their
cyber
security
maturity”
and
that
some
were
unable
“to
support
all
their
self-assessments
with
evidence.” 

An
external
audit,
commissioned
by
Cyber
Security
NSW,
is
also
said
to
have
“found
divergent
approaches
in
how
agencies
perform
their
maturity
self-assessments”,
though
did
not
lead
to
the
assurance
work
being
completed.

“Cyber
Security
NSW
has
a
remit
to
carry
out
audits
of
agencies’
self-assessments,
but
it
has
not
carried
out
these
audits
and
does
not
seek
its
own
assurance
of
the
results
of
these
self-assessments,”
the
auditor-general
said.

“It
is
not
sufficiently
addressing
previously
identified
inconsistencies
and
inaccuracies
in
how
those
self-assessments
are
performed
and
reported.”

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts