Topics: Cybersecurity; NSW.
New South Wales public service employees and the State’s GovConnect shared services providers are struggling to meet basic information security standards, according to Auditor-General Margaret Crawford.
With cyber threats a growing concern for government, the continued inability by NSW agencies to remedy information security is likely to prompt a focus on cybersecurity in the lead up to the NSW election, now just two years away, and may result in specific funded initiatives in the upcoming budget, which is expected to be brought down in late May or early June.
The remedial action required of agencies will be one of the early challenges facing Dr Maria Milosavljevic, the recently appointed new Whole-of-Government (WofG) Chief Information Security Officer (CISO), who reports to WofG NSW Government Chief Information and Digital Officer Damon Rees.
Such action is likely to be both procedural (training and enhanced management emphasis on the importance of user adherence to security standards), but also system-based, leading to more opportunities for information security solutions that manage the end user environment.
In the Digital+2016 update of the NSW ICT Strategy, the government committed to a more coordinated approach to cybersecurity, and the development of a secure information exchange to allow NSW agencies to safely and confidently share information across jurisdictions. In light of the audit findings, cybersecurity is likely to be a focus in the new digital strategy, which is set for release in mid-2017 to replace Digital+2016.
In the audit report released 30 March 2017 the Auditor-General identified information security problems in a number of agencies, mostly relating to user administration in areas such as password controls and inappropriate access.
Information security has been a long-standing problem for NSW agencies. In 2013, then Auditor-General Peter Achterstraat said he would step up the monitoring of agency compliance with requirements of the Digital Information Security Policy. In 2015, a NSW Financial Audit report found that 85 per cent of the 169 ICT issues raised were related to security vulnerabilities or poor practice.
As well as internal security problems, the recently released audit also found some agencies had information security issues arising from IT service providers arrangements, and recommended that agencies “should ensure information security controls and contractual arrangements with IT service providers adequately protect their data.”
The audit was a retrospective look at the big issues of 2016 and so also reviewed the less-than-smooth shared services transition from internal agency ServiceFirst to the Unisys/Infosys GovConnect replacement. It found that the “mitigating actions taken to manage transition risks” put in place by Unisys and Infosys were not completely effective and heightened the risk of fraud, error and inappropriate access of data.
The NSW Government commenced the transfer of SAP support, payroll, finance, HR and procurement responsibilities from ServiceFirst to Infosys and Unisys in 2015. The outsourcing was expected to provide modern, flexible and scalable solutions to deliver yearly savings of around $20 million, which was to be reinvested in front-line services. According to the audit, the transition period continued throughout 2016.
The audit put the onus on the Department of Finance, Services and Innovation (DFSI) to address GovConnect’s control deficiencies, and recommended the agency “examine the breakdowns in the transition of the shared service arrangements and apply the learnings to other services being transitioned to the private sector”.
Recognising that cyber risks are only going to increase, the Audit Office has said it will make cybersecurity a part of its 2017–18 performance audit program.
NSW is not alone in scoring poorly on information security. A Western Australian audit released in June 2015 exposed poor management of sensitive data in key government agencies in 2015, including weaknesses that threatened the security of the state’s repository of prisoner information.
At the federal level, a recent audit found that the Australian Taxation Office and Department of Immigration and Border Protection were non-compliant with the Australian Signals Directorate’s mandatory threat mitigation strategies. Both agencies had “reported compliance against three of the Top Four mitigation strategies” in annual self-assessments for the past two financial years.
A number of high profile incidents – such as the 2016 ‘Census fail’ and Medicare data breach – continue to thrust government cybersecurity capabilities into the public consciousness, thus generating responses and heightened awareness of cybersecurity issues at the political level. With the next NSW election two years away (23 March 2019), the NSW government will be taking measures to ensure that its cybersecurity capabilities do not become an election issue.
Moves to shore up cybersecurity protections are evident across all levels of government. In addition to the appointment of Dr Milosavljevic as NSW’s WofG CISO, recruitment for cybersecurity leaders in South Australia and Tasmania also began in early 2017. At the federal level, the government has committed $195.1 million to cyber initiatives in the 2016 Cyber Security Strategy.