The NSW auditor general has called for the Office of Local Government to develop a cyber security policy to ensure a consistent response across councils after finding 80% don’t have a cyber security framework.

“The Office of Local Government within the Department of Planning, Industry and Environment should develop a cyber security policy by 30 June 2021 to ensure a consistent response to cyber security risks across councils,” recommends Auditor General Margaret Crawford.

The report details the results of the 2018–19 financial audits of 125 councils, ten county councils and 11 joint organisations in NSW.

It notes ongoing deficiencies in information technology controls, particularly around user access management. It also found many councils do not have IT policies and procedures and others do not identify, monitor or report on IT risks.

“Cyber security management requires improvement, with some basic elements of governance not yet in place for many councils,” the report concludes

IT Governance was identified as one of the leading high-risk issues, along with cyber security management and IT general controls, including user access management, program change management, and disaster recovery planning.

The audit found 71% of councils didn’t have IT policies in critical areas such as disaster recovery and business continuity. Of those that do, 25% were not reviewed in line with the council’s scheduled review date to ensure they are up to date.

43% of councils were found to have insufficient password controls and more than a third without adequate user access removal controls.

Meanwhile, the audit found 80% of councils had no formal cyber security policy or framework, 84% didn’t budget for cyber security and 67% have not recently performed penetrations testing (cyber-attack simulation)

“We continue to report deficiencies in information technology controls, particularly around user access management. These controls are key to ensuring IT systems are protected from inappropriate access and misuse,” Ms Crawford said.

The full report is available HERE