The NSW Government has been told by the state’s Audit Office to build cyber security incident reporting requirements into its procurement contracts amid concerns over the state Government’s capability to detect and respond effectively to cyber security incidents.
The recommendation came as a result of a performance audit by the Audit Office of NSW investigating cyber security incident detection and response in the NSW public sector.
“There is no whole‑of‑government capability to detect and respond effectively to cyber security incidents,” the Audit Office said in its report conclusion. “There is limited sharing of information on incidents amongst agencies, and some of the agencies we reviewed have poor detection and response practices and procedures.
“There is a risk that incidents will go undetected longer than they should, and opportunities to contain and restrict the damage may be lost.
The Audit Office went further, suggesting that, given current weaknesses, the NSW public sector’s ability to detect and respond to incidents needs to improve significantly and quickly.
One of the factors hampering the capabilities of the NSW Government, in the view of the Audit Office, was that most of the state Government’s IT service providers are not contractually obliged to report incidents to agencies
“Agencies advise that IT service providers report cyber security incidents to them, but only two of ten had contractual arrangements which obliged providers to report incidents in a timely manner,” the Audit Office said. “Agencies without such arrangements have little assurance that they are advised of all significant incidents in a timely way.
“Where agencies are not informed of an incident, they cannot act to contain the incident and limit damage to themselves and their stakeholders,” it said.
As such, the Audit Office recommended that the state Government direct agencies to include standard clauses in contracts requiring IT service providers to report all cyber security incidents within a reasonable timeframe
The Audit Office also noted that the state’s Department of Finance, Services and Innovation (DFSI) has recently implemented a revised contract template, for agencies engaging in IT contracts over $150,000, which includes the need for IT service providers to report security issues to agencies immediately and conduct an investigation.
“It has taken steps to communicate the new requirements across the public sector, although it does not follow-up with agencies to ensure agencies are using the templates,” the Audit Office said.
The Audit Office also recommended the NSW Government agencies implement better practice guidelines for incident detection, response and reporting to help agencies develop their own practices and procedures.
In addition, the Audit Office recommended training and awareness programs, including tailored programs for a range of audiences such as cyber professionals, finance staff, and audit and risk committees, and the enhancement of NSW public sector threat intelligence gathering and sharing.
It also recommended the state Government develop whole-of-government procedures, protocol and supporting systems to effectively share reported threats and respond to cyber security incidents impacting multiple agencies, including post-incident reviews and communicating lessons learnt.
“We acknowledge that more must be done to protect our systems and ensure they are resilient and fit-for-purpose in the digital age,” NSW Minister for Finance, Services and Property, Victor Dominello, said in a statement responding to the Audit Office’s report.
“Cyber security is an evolving threat which is why we created the position of Government Chief Information Security Officer (GCISO) to improve cyber security co-ordination and support across Government.
“The GCISO is also working with Federal bodies including the Australian Cyber Security Centre to share information and best practice,” he said.