None of NSW's lead cluster agencies have implemented all Essential Eight controls

Image: Audit Office of New South Wales

The cybersecurity policy for New South Wales government agencies is not sufficiently robust which is a cause for “significant concern”, according to the state’s auditor-general Margaret Crawford.

“Key elements to strengthen cybersecurity governance, controls, and culture are not sufficiently robust and not consistently applied. There has been insufficient progress to improve cyber security safeguards across NSW government agencies,” the auditor-general wrote in a compliance report [PDF] about the state’s cybersecurity capabilities.

The audit assessed whether nine of the state’s lead cluster agencies — Premier and Cabinet, Communities and Justice, Customer Service, Education, Planning, Regional NSW, Health, Treasury, and Transport — had provided accurate reporting on their level of maturity in implementing the requirements of the state’s cybersecurity policy.

Of these agencies, none of them have implemented all of the Essential Eight controls at level one, with the auditor-general saying that all organisations at a baseline should be at level three.

She added that all agencies failed to reach even level one maturity for at least three of the Essential Eight strategies.

Seven of the nine participating agencies also reported levels of maturity regarding cybersecurity policy and the Essential Eight that were not supported

Read More: