NSW Government told to urgently improve cyber security resilience. Essential 8.
Auditor reveals poor agency self-assessment results.
The NSW government has been told to improve its cyber security resilience for a second time in less than two years, after the majority of agencies reported low levels of maturity under the Essential Eight model.
An annual audit of the state’s central agencies, released on Thursday, reveals the NSW public sector is struggling to meet new requirements under the government’s new cyber security policy.
The policy, which came into effect in February, requires agencies to self-assess their maturity against the mitigation strategies – now considered the baseline for cyber security by the Australian Signals Directorate.
It was introduced in the wake of a 2018 audit that found agencies were lacking the capacity to detect and respond to cyber security indictments, as well as the absence of a government-wide capability to detect and respond to cyber security events.
Agencies are able to assess themselves under four levels of maturity: zero, one, two and three. Three of these levels are found on the Essential Eight, while ‘maturity level zero’ is limited to the NSW policy.
Agency self-assessment results for servers
|E8 Mitigation Strategies||Maturity Level Zero||Maturity Level One||Maturity Level Two||Maturity Level Three||Total|
|Application whitelisting (Top 4)||53||3||2||4||62|
|Patch application (Top 4)||23||16||16||7||62|
|Patch operating system (Top 4)||32||23||4||3||62|
|Restrict administrative privileges (Top 4)||45||13||3||1||62|
|Configure Microsoft Office macro||28||13||16||5||62|
|User application hardening||18||17||23||4||62|
|Daily back ups||6||18||11||27||62|