The response to the NSW Upper House enquiry was released recently containing the NSW Government’s response to the issues raised.
During the course of the enquiry John Frisken and Milton Baar, the two founders of ISG gave testimony about their view of the issues that have faced the NSW Government and the way forward.
In 2001 ISG was the first company to be admitted to the IT Security Panel, a demonstration of the strength of the expertise of our personnel. Both John and Milton worked together at Ernst & Young and had a similar passion around the application of International ISO Standards to help improve businesses manage their technology investments and business operations.
The backdrop to the enquiry had been the cyber breach that had occurred at Service NSW during 2019 which exposed the records of many NSW Citizens. ISG Consulting made a written submissions about their views of the history of the implementation of Cyber Security initiatives in the NSW Government, some of the key challenges, and suggestions for moving forward with improvements. The ISG submission can be found at 0023 ISG Consulting Pty Limited.pdf (nsw.gov.au).
The main point of the submission is that the NSW Government initially commenced the push towards the implementation of ISO standards across agencies, an initiative that continued until 2010, when implementation of security was decentralized and responsibility handed back to individual agencies with few effective mechanisms for independent review. This was in contrast to the certification process that had previously been in place.
During the intervening years some new policies were introduced based around NIST, a leading US Cyber Security standard followed in North America. In ISG’s submission we did not seek to denigrate NIST but highlighted that the ISO and NIST standards had different processes and governance models which made it difficult for organisations implementing most of their standards based on ISO and their Cyber Security processes around NIST. The combination of policy compatibility and the lack of effective review mechanisms had meant that many agencies had stalled in their attempts to implement Cyber Security.
This had led to the NSW Government falling back in their efforts to introduce Cyber Security compared to other jurisdictions. ISG suggested some approaches for incorporating NIST at a Controls level rather than a framework level, which was causing confusion with the ISO framework, and made some suggestions for how this could be done.
On the strength of our submission both Milton Baar and John Frisken were called as witnesses to the enquiry in order to more fully explain the ISG submission and answer questions from members of the Inquiry. The initial report of the enquiry was received by the NSW Government in March 2021, with the response from the NSW Government to be delivered by the end of September 2021. The initial inquiry findings can be found at Report (nsw.gov.au). The main findings of the inquiry were:
- Structure of Cyber Security in the NSW Government;
- Governance of Cyber Security, including independent review of agency performance
- Review of policies for Cyber Security
- Incorporating Cyber Security responsibilities into procurement contracts
- New processes for mandatory breach reporting in NSW Government agencies
- Promoting building a sovereign cyber security capability in industry
- Developing skills for managing Cyber Security in the workforce.
The NSW Government response can be found at Government response – Report No 52 – PC1 – Cyber security.pdf (nsw.gov.au). The NSW Government’s response didn’t accept moving the responsibility for Cyber Security into the Dept of Premiers and Cabinet but did agree largely on most other recommendation of the Committee.
The centrepiece of the response was the increased funding for the revamp of Cyber Security in NSW Government agencies announced in late 2020. The response also highlighted a number of other key initiatives, including:
- Introducing independent review of agency progress towards implementing cyber security, particularly the Essential Eight controls, and reporting of maturity levels achieved by agencies
- Realignment of policy for Cyber Security, including the harmonisation of policy across the NSW Government Agencies
- Supporting new initiatives for development of Cyber Security skills in high schools and universities
- Supporting the development of sovereign capabilities for managing Cyber Security in industry.
More recently the NSW Audit Office has released a detailed report at the end of October 2021 detailing independed findings with respect to the implementation of Cyber Security policy across a number of key NSW Government agencies. The Audit NSW Cyber Security report can be found at Compliance with NSW Cyber Security Policy 2021.PDF.
The findings of the Audit NSW review indicate that most agencies have a significant way to go to address Cyber Security in their operations. This report now represents a sound baseline for moving forward in addressing Cyber Security in the NSW Government.
About the Author
John Frisken, CISA, CA
Is an information security and application development specialist with a distinguished career in professional practice with Ernst & Young and, subsequently, as founder and owner of the Information Systems Group, an international security consulting, systems integration and secure development company headquartered in Sydney, New South Wales, Australia.
Since establishing ISG in 1996, Frisken has overseen the delivery of ISG’s services including ISMS implementation projects for many large public sector, judicial, and utility organisations in Australia and development of complex applications leveraging advanced messaging and secure platform technologies.
John is a Member of ISACA and Institute of Chartered Accountants in Australia. John led the adaption of the COBIT framework into the IFAC Delivery and Support Standards which are aimed at explaining the application of the framework within a business context. He currently serves as ISG’s director of professional services.