“The NSW Public Sector’s cyber security resilience needs urgent attention”

“The NSW Public Sector’s cyber security resilience needs urgent attention”

The NSW Public Sector’s cyber security resilience needs urgent attention

The NSW Cyber Security Policy requires agencies to provide a maturity self-assessment against the Australian Cyber Security Centre (ACSC) Essential 8 to the head of the agency and Cyber Security NSW annually.

The Auditor-General for New South Wales, Margaret Crawford, December 2019

https://www.audit.nsw.gov.au/our-work/reports/central-agencies-2019-0

The NSW Cyber Security Policy requires agencies to provide a maturity self-assessment against the Australian Cyber Security Centre (ACSC) Essential 8 to the head of the agency and Cyber Security NSW annually. Completed self-assessment returns highlighted limited progress in implementing the Essential 8.

We recommend Cyber Security NSW works with agencies to improve cyber security resilience as a matter of urgency.

The NSW Public Sector’s cyber security resilience needs urgent attention

The NSW Cyber Security Policy requires agencies to provide a maturity self-assessment against the Australian Cyber Security Centre (ACSC) Essential 8 to the head of the agency and Cyber Security NSW annually. Cyber Security NSW received 62 completed self-assessment returns across all eight clusters. While only 62 completed self-assessment returns were received, the self-assessment results provide coverage over the NSW public sector as some returns applied to multiple agencies.

The Essential 8 comprises:

  • Mitigation strategies to prevent malware delivery and execution
    • Application whitelisting allows only approved programs to run on systems.
    • Patch applications with security fixes once they are available.
    • Configure Microsoft Office macro settings to only allow trusted macros to run within Office applications.
    • User application hardening, by switching off unneeded parts of applications.
  • Mitigation strategies to limit the extent of cyber security incidents
    • Restrict administrative privileges to minimise the use of the most powerful accounts and protect them from misuse.
    • Patch operating systems with security fixes once they are available.
    • Multi-factor authentication to add extra layers of protection and ensure only approved users can access systems.
  • Mitigation strategies to recover data and maintain system availability
    • Daily backups of important data, software and configuration settings so that it can be restored if systems are compromised.

Refer to the link for the Australian Cyber Security Centre’s definition of ‘Essential 8’ mitigation strategies.

The ACSC Essential 8 model identifies three levels of maturity for organisations to use when assessing the maturity of their Essential 8 implementation. The NSW policy adds Maturity Level Zero to its assessment model to cater for maturity levels lower than Maturity Level One.

Maturity levels explained:

  • Maturity Level Zero: Not aligned with the intent of the mitigation strategy.
  • Maturity Level One: Partly aligned with the intent of the mitigation strategy.
  • Maturity Level Two: Mostly aligned with the intent of the mitigation strategy.
  • Maturity Level Three: Fully aligned with the intent of the mitigation strategy.

Refer to NSW Cyber Security Policy: Maturity Model, tab 4’Essential 8 Maturity Model’.

This was the first-time agencies were required to report against the ACSC’s ‘Essential 8’ cyber risk mitigation strategies. The self-assessments were unaudited.

Number of self-assessments
Essential 8 mitigation strategies Maturity Level Zero Maturity Level One Maturity Level Two Maturity Level Three Total
Application whitelisting 53 3 2 4 62
Patch application 23 16 16 7 62
Configure-Microsoft office macro 32 23 4 3 62
User application hardening 45 13 3 1 62
Restrict administration privileges 28 13 16 5 62
Patch operating system 18 17 23 4 62
Multi-factor authentication 26 19 14 3 62
Daily back ups 6 18 11 27 62

Notes:
1  Some Essential 8 mitigation strategies are disaggregated between servers and workstations. The self-assessment summary above includes agency’s self-assessed maturity responses for servers only, on the basis that this generally poses the greater cyber security risk.
2  Some agencies submitted scores between levels (e.g. 0.5 or 1.5 scores). In such instances, scores were rounded down.
Source: Individual self-assessed Essential 8 maturity returns (unaudited).
Recommendation
We recommend Cyber Security NSW works with agencies to improve cyber security resilience as a matter of urgency.

The Department of Customer Service advises that following the first year of reporting under the NSW Cyber Security Policy, cluster secretaries will report to the Secretaries Board on their progress against all elements of the policy.

The Secretaries Board is made up of the cluster secretaries of the principal departments, and the Public Service Commissioner.

 

Comments are closed.