Report by Audit Office of New South Wales Examines State’s Cyber Policy

Report by Audit Office of New South Wales Examines State’s Cyber Policy

The Audit Office of New South Wales has published a report that presents its analysis of the NSW Cyber Security Policy compliance data submitted by State agencies to Cyber Security New South Wales in 2024, along with insights into the cyber security environment drawn from selected reports published between 2018 and 2025. This analysis includes reports from performance audits, compliance audits and financial audits.

The reliance on information technology in modern government, in addition to the global interconnectivity between computer networks, has dramatically increased the risk of cybersecurity incidents. Such incidents can harm government service delivery and may include the theft of information, breaches of private information, denial of access to critical technology, or even the hijacking of systems for profit or malicious intent. These outcomes can have adverse impacts on the community and harm trust in government.

The report is a resource for the public sector. It provides insights into the challenges and opportunities for strengthening cyber resilience.

Key insights from the report’s analysis of cyber security policy compliance data include:

  • The need for agencies to focus on the cyber resilience gaps, particularly in implementing ‘protect’ domain controls;

  • A lack of independent assurance over agency reporting against the Cyber Security Policy;

  • Limited oversight of third-party providers; and

  • A risk that aggregate reporting reduces visibility into agency compliance levels and cyber risks.

The report’s analysis of selected Auditor-General reports from 2018 and 2025 identifies that while cyber security governance in the NSW public sector has improved through broader adoption of policies and frameworks, there is still a critical need to:

  • Address unclear roles;

  • Adequately identify information assets;

  • Manage third-party cyber security risk;

  • Address failures to meet basic protection standards;

  • Perform phishing simulations more regularly; and

  • Align culture with cyber security environment to ensure controls are fit for purpose.




Source link