Margaret Crawford (Auditor-General of NSW)
The enhancement of the Audit Office of NSW’s cyber resilience strategy has played an “integral” part of its quality assurance over the 2021-22 financial year, including completing its move to the cloud.
In its annual report for the year ending 30 June, the Office said it transitioned its core infrastructure from a data centre environment to the cloud with the help of unspecified technology partners.
By completing the move, which wrapped up on 30 June, the Office claimed it will “enhance our data and systems security” and systems reliability.
The move to the cloud was mentioned by the agency last year in its 2020-21 report, with it engaging an unspecified partner and beginning the project in May 2021.
This was one element of the Office’s decision to uplift its cyber security framework, systems and processes, which it said was a key focus area during the year.
“Our strategic risk management of cyber security requires us to continuously evaluate threat and control landscapes and ensures our defences are consistent, appropriate, reasonable and effective,” the report stated.
“This approach supports us to keep pace with the constantly evolving risk environment, and ensures our initiatives and controls remain effective in mitigating cyber security risks.”
Part of that approach included continuous improvements based on the Australian Signals Directorate’s Essential Eight risk mitigation strategies, which, according to the ASD’s Australian Cyber Security Centre, primarily focus on Windows-based internet connection networks.
It claimed the hiring of a cyber analyst as one of its security-related achievements, as well as embedding its information classification and labelling policy, conducted a cyber security resilience review against the US National Institute of Science Technology’s NIST Cybersecurity Framework and renewing its ISO27001:2013 security certification.
The report also said the Office participated in NSW Cyber Security capture the flag exercises and a cyber simulation exercise with select members of leadership and crisis management teams.
The focus on its cyber security prowess backs up its key strategic risks it flagged as being a hypothetical worst-case scenario, being a lack of “consistent, adequate, reasonable and effective cyber security controls”.
The agency first introduced this key strategic risk in its 2021-22 report.
If the worst-case scenario took place, the report claimed that it may result in “indefensible legal or regulatory breaches, [an] inability to continue business or reputational damage”.
Looking to the financial year ahead, the Office is set to continue building up its cyber security resilience and reducing its risk through a number of initiatives, including updating and enhancing its use of existing security systems and resources.
It also plans to review its third-party security policy and risk management processes and offer employees a refreshed annual learning program and information campaigns on threats and their prevention.
The Office's admission comes a year after it assessed nine agencies' compliance with the NSW Cyber Security Policy (CSP) and released a report in October 2021, finding “insufficient progress to improve cyber security safeguards”.
