The NSW state government gave Cyber Security NSW responsibility in 2020 to improve cyber security in the local government sector, but didn’t give it the power to mandate councils’ security.
The NSW auditor general noted the discrepancy in its report [pdf] into Cyber Security NSW yesterday.
“Under its 2020 enhanced funding, Cyber Security NSW was given a range of general
responsibilities for extending support to, and raising capability of, cyber security in the local
government sector,” the auditor wrote.
That was to include proactive monitoring and intelligence, along with training and awareness.
While the whole-of-government security agency has engaged with the local government sector, it has achieved mixed results.
The report noted the lack of a “formal mandate” for the sector, but also criticised Cyber Security NSW for the lack of “an engagement plan or strategy to guide its engagement with the local government sector.”
“it is unclear whether the services available to councils are well targeted to raise their cyber security resilience, or whether councils have detailed awareness of existing services,” The report added.
The agency has adopted an opt-in approach to engaging with councils, the auditor-general said.
Further, its work developing non-binding guidelines, developed in collaboration with the Office of Local Government, was delayed, with the guidelines only being released on December 19 last year.
Among recommendations to improve its work with councils, the auditor-general said the security agency should compile “a detailed, complete, and accessible catalogue of services available to agencies and councils”, as well as develop an engagement strategy for the local government sector.
The auditor-general has also criticised Cyber Security NSW for not auditing state government agencies’ self-assessments of their security maturity.