One of the biggest and most welcome changes to the modern workplace has been the increased focus on employee mental health and wellbeing. And we don’t mean the ‘mindfulness messages’ on your smart watch or the endless parade of ‘wellness gurus’ on social media…we’re talking about genuine, organisational attempts to make (and keep) employees comfortable, balanced and engaged while at work.

While the COVID-lockdown period was hard on everyone, employee engagement continues to be challenging during the post-lockdown ‘hangover’ period. While some employees have thrived away from the office environment (and are resisting and feeling stressed about returning to the office), others have struggled with the social isolation caused by long periods away; some may even have developed mental illnesses as a result. In each case, it is unlikely that an ‘inspirational’ poster, innovative social activity, or a communal tin of biscuits will be an adequate organisational mental health and wellbeing strategy.

The impact of good (and bad) wellbeing policies

Disgruntled and dissatisfied employees can result in unhealthy conflict, a lack of productivity, increased staff turnover, and the increased risks of fraud, corruption, and potential sabotage. On the other hand, engaged employees are known to:

  • Be more productive, creative, resilient, and collaborative;
  • Take less sick leave; and
  • Give greater loyalty to their employer

Apart from the obvious benefits to both the employer and the employed that emerge from supporting a happy and productive workforce, it is also important to note that employee mental health is a Workplace Health and Safety issue.

Employers have a legislated responsibility to manage health risks and hazards in the workplace, including psychosocial ones. A mentally healthy workplace is not just ‘nice to have’, it is something organisations should actively pursue.

This begs the questions:

What makes for a mentally healthy workplace?

and

How can we be sure that our workplace is doing a good job in supporting the positive mental health of our employees?

They might sound like heavy questions, but with the right tools, they don’t have to be hard to answer.

Get an Organisational Health and Wellbeing check

In order to help both private and public organisations answer questions around mental health and wellbeing policies and improve their level of support, Centium has developed a Health Check to assess your organisation’s approach to Workplace Mental Health and Wellbeing.

The Health Check is comprehensive, and includes:

  • A focus on organisational legislative responsibilities in relation to Health and Safety
  • Key guidance and better practice principles, such as the new SafeWork NSW Code of Practice for Managing Psychosocial Hazards at Work
  • Systematic reviews and evaluations of organisation’s relevant policies, procedures, safety plans, responsibilities, support services, and training, against the governing legal requirements and better practice advice

Centium’s integrity, independence, and extensive experience in providing risk and assurance services to a wide range of private and public sector organisations contributes to ensuring that our views are objective, and our analysis is sound and evidence based

For further information on the Health Check please contact Penny Corkill, Centium’s Director of Risk and Assurance on 0409 251 011 or email Penelope.Corkill@centium.com.au.

All NSW State Government agencies are required to develop and maintain an ISO 27001 compliant Information Security Management System (ISMS), under the requirements of the State’s Cyber Security Policy (CSP).

Agencies must also definitively and positively attest to the CSP as part of their Annual Reporting process.

What is required?

By 31 October each year, agencies must submit a report to their cluster CISO, or Cyber Security NSW. This same attestation must be provided in the Agency's annual report. The report includes an assessment against the mandatory requirements of the CSP and a maturity assessment against the Australian Cyber Security Centre’s (ACSC) Essential 8.

Non or partial compliance with this requirement may be difficult to explain to senior management and oversight bodies, such as the agency’s Audit & Risk Committee.

Some tips for CSP readiness…

Start early. In our experience agencies do not start the attestation process early enough to ensure an improvement on last year.  As such, there is often insufficient time to complete relatively simple remedial actions that might mitigate serious cyber risks.  

Review your ISMS. An agency’s Information Security Management System should be risk-based and fit for purpose.  It should be reviewed annually to ensure that it remains current and reflects any changes that may have occurred within and external to the agency (e.g. Machinery of Government, ICT systems, contracts/outsourcing, third party supplier arrangements, risk appetite/profile, policy changes, etc.)

Conduct a Mock Audit. A number of agencies have introduced a “mock audit” phase into their CSP attestation process. Using this approach, the agency has time to rectify easy-to-fix remedial issues before the attestation is due, thereby lifting their overall security posture (and CSP score).

Test your Cyber Security Incident Response Plan. A Response Plan and well-facilitated simulation exercise can tick quite a few boxes and should not be left to the last minute. Agencies are required to attest that they have an up-to-date Plan. Importantly, in demonstrating cyber maturity they are also required to attest that the Plan has actually been tested within the past year.

Deliver Awareness and Training sessions. A significant proportion of cyber incidents are caused by human factors, many of which could be avoided by ongoing cyber training and awareness sessions. Such training should be mandatory, engaging, relevant…and most importantly, regular.

How Centium can help

We have a team of ISMS experts and cybersecurity specialists who have worked with dozens of State Government agencies across NSW over the past three years. During that time, Centium has assisted numerous agencies to migrate from the DISP to the CSP and to update their ISMSs to meet the new obligations. We have also mapped across the Essential 8 and have many shortcuts and helpful “lessons learnt” to share with our clients.

We can help you be CSP Ready by:

  • Reviewing/updating your ISMS so that it is risk-based, fit for purpose and aligned with the CSP
  • Undertaking an ISMS independent internal audit per CSP requirements
  • Conducting mock audits to identify any gaps that may prevent you from demonstrating CSP and Essential 8 improvement
  • Undertaking remedial actions to comply with the CSP’s mandatory requirements
  • Testing your Cyber Security Incident Response Plan
  • Testing your Business Continuity and ICT Recovery Plans
  • Reviewing your third party supplier arrangements
  • Facilitating face-to-face and e-Learning cybersecurity sessions for staff and contractors.

And, when the time comes, we can provide an independent assessment of your CSP performance, which entails:

  • Preparing your attestation against the CSP mandatory requirements
  • Undertaking an Essential 8 maturity assessment
  • Ensuring that you meet the 31 October reporting deadline each year.

Contact us

For more information, please contact Vipan Chauhan, Director, Cyber & IT on 0434 896 764 or vipan.chauhan@centium.com.au.

Explore Centium's robust and proven Cyber, IT & Business Continuity for small and medium Government organisations.

 Local Councillors play a fundamental role at the community level in our democracy. They participate in shaping the places they live in and act in the best interest of their communities. In so doing, they come to understand the most difficult and most critical pressures facing their communities.

Local Government is often a training ground for other leadership roles, whether in government at all levels or in other walks of life. That’s why, following Council elections, a good post-election induction process is vital. It ensures that the new Council understands the legal responsibilities of its role, builds a sense of camaraderie and willingness to work together, and sets up parameters to guide future decisions about priorities and programmes.

After being postponed twice by Covid-19, NSW Council elections were held in December 2021. This delay meant the 2021 post-election induction process was particularly challenging because it compressed the time frame within which to meet legislative deadlines. It also required newly elected Councillors and their Councils to complete mandatory tasks during the Christmas break.

Moreover, because the next elections are scheduled for September 2024, the upcoming Council term is shorter than the usual three years, so new Councils have less time to set goals and priorities.

This doesn’t necessarily mean the effectiveness of this term needs to be impacted. Elections and the changes that come with them are a great time for Councils to change and improve internal strategies and priorities, leading to better community outcomes. So, what can we learn from those going out, those coming in, and the challenging circumstances of this election to make the next Council term a better one?

Nine suggestions for improving post-election induction & Councillor impact

As part of our support training and strategic planning with Council clients, Centium has introduced a new process which has resulted in the recording of fifty-six interviews with individual Councillors, both new and outgoing, from four different Councils.

The interviews are de-identified and anonymous, allowing all Councillors to speak freely in a ‘thinking out loud’ environment, away from the rigors and restrictions of public debate. Councillors were encouraged to:

  • Express their own aspirations and priorities
  • Consider the most important issues facing constituents and their communities
  • Articulate the challenges and difficulties they experienced during their term on Council (for outgoing Councillors)

Here, we have summarised the information collected so that it can be harnessed to shape and direct the support new Councillors need to fulfil their roles.

Induction and Professional Development 

  1. Improved education
    “We need to work harder to make sure the Councillors understand better. We need so much more education – not just about the programs, but about how to work together.”
    It is easy for staff to imagine that new Councillors know more than they actually do. The induction process is important to educate Councillors on a range of issues.
  2. A better understanding of role and Council operations
    “We needed Code of Meeting practice training, what our role is and how to conduct yourself in a meeting. It could cover the rules of debate, points of order, chairing meetings. How do you write a notice of motion? When should it be a motion rather than general business? It took me ages to work out why you get the same information for different kinds of meetings.”
    New Councillors need to be presented with an overview of the operations of the Council, and an understanding of their role. They need legislative training on Code of Conduct requirements, particularly to understand conflicts of interest and how to identify and manage those. Code of Meeting practice training is also important.
  3. New Councillors need to be educated on development issues
    “We need better ways of accessing training options, better standard Councillor training every 12 months that’s relevant, and that’s opt in, especially when there are changes to legislation. What about staff briefings on webinars so we can access them when we need them?”
    Education on things like the terminology, impacts, level of control, and an understanding of how to get better solutions to resolve community conflict. Ongoing training is required for all Councillors to ensure they keep up to date during their entire term of Council. Councils can be proactive about anticipating the skills and knowledge for Councillors’ continuing professional development. Site visits help new Councillors get a sense of what’s going on.

Accessing Information

  1. Better responses to community requests
    “If we have oversight at a high level then we can trust the systems to handle our requests too.”
    New Councillors are contacted immediately after their election by constituents with issues, concerns and complains, and a few key staff could be nominated as contacts to receive the most common of these and also to explain constraints and realities. Timeframes for responses to requests are an important part of the equity of the complaints handling system, and Councillors need clear and reliable information about how requests will be handled and reasonable response timeframes.
    New Councillors need to learn to understand and trust the broader prioritising process that exists to handle community requests, so that they can maintain a strategic overview of quality and direction without getting inappropriately involved in individual matters.
  2. Online access to key information
    “We need something a bit more refined so that critical timely and relevant documents can be accessed quickly. We need this to counteract Councillors’ complaints that they didn’t receive something - if it’s on the portal then people can go and refresh their own memory rather than making an issue of it. The portal needs a file structure and an index."

Many Councils are implementing an information portal that is hosted on their intranet. Full access and visibility to shared information should be implemented – a Councillor calendar for events and attendance, reports on resolutions status, business papers.

Working with Council Staff

“I’ve experienced senior staff who worked very hard to show that they were here for all of us. We had a serious level of respect for those staff. There were people who made sure it was a ‘no embarrassment’ Council. The trust needs to be developed to have an exchange of views with Councillors in a non-adversarial way.”

  1. Adaptive communication
    “Some of us have day jobs, and I try to phone staff in my lunch hour and leave a message, but they ring back when we’re at work too.”
    Different Councillors work in different ways, they are busy people and so are staff. Communication between Councillors and staff needs to adapt to the different ways that each are working – including use of emails or phone calls and the understanding timing that suits all parties.
  2. Active engagement and input
    “There needs to be more briefings with Councillors before issues come to Council, and actually with enough time to have an influence and in the shaping process. Councillors should be taking an active role, not to take away from the role of the specialists. We shouldn’t be left till the end of the process with something we don’t want to support.”
    At its best the communication between Councillors and staff is a genuine engagement, to build up the common knowledge base, so that there’s more consensus.

Building Camaraderie and Consensus

  1. A positive culture
    “We need to build the capacity for robust debate, that is based on respect and good humour, and helps to develop good relationships. “
    There are positive initiatives that can be put in place to create and build a positive culture amongst the governing body.
  2. Strategies focused on building relationships and managing interpersonal issues
    “The strategic retreats were quite good. They didn’t need to be so salubrious, but it was a strategic meeting together and an opportunity to talk things through. They could substitute the briefings with more strategic meetings, it needs to happen more frequently. Say check-ins quarterly – around the bigger issues and having more input as Councillors. Otherwise it’s not genuine dialogue, it doesn’t feel like we’re coming together to have genuine input. “
    Social occasions can offer Councillors the informal opportunities to get to know each other. Some difficult individuals can work to derail the culture and cause churn at the senior level. One or two people can do so much damage, and everyone needs to have better strategies for dealing with difficult Councillors who may cause divisions, so that the focus is always on the best interests of the whole community.

Putting learnings & suggestions into action

It can sometimes be difficult to drive change, but the weeks and months post-election is one of the best times to implement new strategies within Council.

Centium has been working with several NSW Councils both before and after the recent election to ensure that Councils and Councillors are set up for success. We support Councils and Councillors to ensure that they are best placed to make good decisions that benefit their communities.  We can provide:

  • Confidential Councillor interviews to identify issues and solutions
  • Councillor support: benchmarking and service review
  • Facilitated workshops with Councillors and Executive Staff
  • Councillor professional development
  • Code of Conduct and Code of Meeting Practice training

The governing body plays a crucial role in a highly functioning Council, and specific strategies can be introduced to ensure that Councillors are guided and supported to enhance the reputation and performance of their Councils.

Contact our Manager Strategy and Engagement for a no-obligation discussion on 0409 830 283 or at sarah.artist@centium.com.au. You may also reach out to us at info@centium.com.au if you're a government or not-for-profit organisation that has an interest in our services and wish to discuss


It’s not uncommon, at the end of a Cyber Audit Cycle, for organisations to be hit with below than expected audit outcomes and maturity levels. At that point, the audit's outcome is locked in, and there is no possible recourse.  

This isn’t a good situation for an organisation to be in. A poor cyber audit outcome can have several negative consequences for organisations, including financial penalties, higher operational costs, compromise of confidentiality, integrity and availability of critical assets, and a loss of trust and reputation from clients and the public. 

That’s why, when it comes to Cyber security compliance audits, the heavy lifting should not be left to the end.  

This can all be avoided with a more proactive approach. In most situations, a timely mock audit can help in identifying shortcomings that, when addressed, can substantially improve an audit outcome.  

What is a mock audit? 

The mock audit is much like an actual audit, whereby the applied methodologies, standards and recommendations reflect the actual audit. Therefore, it unfurls the enigma of a review by identifying compliance gaps and areas requiring improvement and suggesting corrective actions you need to take to succeed in the audit.  

This type of proactive planning has many benefits, such as:  

  • increasing your cyber defence readiness 
  • clarifying where your organisation currently stands 
  • granting better results when the actual audit occurs  

All these benefits enable you to avoid costly fines and penalties, while enhancing stakeholders' trust and reputation in your organisation.   

A mock audit is particularly valuable if your organisation has never been examined, as there may be significant gaps and deficiencies that have not been discovered yet. Even if your organisation has already been examined, a mock audit is worth considering as there may have been significant changes in your business, such as new services or other internal and external rules and regulations, since your last audit.  

How can a mock audit help? 

  • Ensures there are no surprises that turn up during an audit  
  • Identifies gaps and sets expectations early  
  • Helps identify training needs for your key stakeholders 
  • Ensures more positive audit outcomes with higher maturity ratings 
  • Saves valuable time and resources 

Accessing independent, cost-effective mock audit and audit expertise  

An independent, competent, and qualified third-party consultant will bring a fresh perspective and assist in identifying gaps you might not even know existed. 

Centium is an agile management consulting firm that specialises in minimising risk for government organisations. A large part of that is providing independent IT and Cyber Security services that add value and mitigate risks.  

We specialise in audit services and can undertake a Cyber Security Mock Audit against your cyber security requirements, such as the NSW Cyber Security Policy, the ACSC Essential 8, NIST, PCI DSS, SOC1/ISAE3402, SOC2 or ISO27001. We can also follow up with a (cost-effective) formal audit within the defined timelines, ensuring higher audit compliance ratings along with significant time and cost savings.  

For more information about how this approach can add value to your Organisations' Cyber security efforts, please contact our Director, Cyber & IT, for a no-obligation discussion on 0434 896 764 or vipan.chauhan@centium.com.au. Alternatively, browse Centium's range of Cyber & IT services.   

Ready to work with us?

If you're a government or not-for-profit organisation that has an interest in our services, you can reach out to us at info@centium.com.au to discuss your needs, or to find out more about how our alliance could benefit you.


We're thrilled to announce our strategic alliance with CT Management Group (CTMG), one of Australia’s most trusted providers of local government professional services. This alliance is a big step towards expanding our range of services to new locations across Victoria and Queensland.

The partnership is the result of a close professional relationship that we are confident will only continue to grow. We’re delighted to build a partnership with an organisation that not only has a great reputation, but also shares our values, standards and professional skills.

By combining the strengths and expertise of our two firms, we will continue to deliver exceptional services to our clients in the government and not-for-profit sectors.

What this partnership means for our clients

Centium and CTMG share a common goal of providing honest and effective support to organisations, and we are thrilled to expand our range of professional offerings to a broader range of clients - both in terms of services and location.

In addition to Centium's current service offerings, government and not-for-profit organisations across Victoria and Queensland will now be able to access a new range of services and expert knowledge that includes asset management, financial management, and strategic service planning. The full range is listed below.

Our current and future clients based in our existing locations of Sydney, Melbourne, and regional areas will also be able to access this expanded range of services.

Over the coming months, we’ll be showcasing various Success Stories and team member profiles of both Centium and CTMG. This will show the variety of new value adding services and expertise we offer.

Our expanded range of services

Our partnership covers the range of services below:

Products and services delivered by CTMG

  • Service - Service Planning:
    • Strategic service planning
    • Service Reviews
  • Service - Asset Management:
    • Governance Framework: Policy, Strategy, Asset Management Plans
    • Building condition assessments
    • Asset Demand Renewal Modelling
    • Fleet & Plant
    • Capital Works programming and prioritisation
  • Service – Financial Services:
    • Financial Sustainability Reviews
    • Differential Rating and Revenue Strategies
  • Products:
    • Long Term Financial Plan
    • Service Cost Evaluation Model
    • Capital Expenditure Evaluator

Services delivered by Centium:

  • Internal Audit
  • Risk Management
  • Ethical Conduct &Investigations
  • Cybersecurity and Information Technology
  • Probity and Procurement
  • Business Continuity & Resilience

About CTMG

CT Management Group has been one of Australia’s most trusted providers of local government professional services for over 25 years.

CT Management Group provides professional services to state government, councils, and not-for-profit organisations across the eastern states of Australia. They are listed on all relevant government panels in each of those states.

You can learn more about CTMG by heading to their website.

Ready to work with us?

We look forward to working together with CTMG to assist our clients with improving their governance and managing their assets and risks. 

If you're a government or not-for-profit organisation that has an interest in our services, you can reach out to us at info@centium.com.au to discuss your needs, or to find out more about how our alliance could benefit you.


In most public sector jurisdictions, internal audit is a mandatory requirement. There will always be some routine “tick and flick” type audits that will be required from time to time to confirm the adequacy of controls for generic activities. But effective Internal Audit is about so much more than the old “tick and flick”.

Ever since non-core services were first contracted out en masse in the 1990s, Internal Audit has too often been perceived as some sort of generic commodity. This is a fallacy. While the physical process of auditing can be somewhat generic, the professional judgement, expertise, care, professionalism, as well as the depth and breadth of experience, are key differentiators of quality.

A worthy service provider will not only provide you with a good price, but even better value.

An Analogy

Say you are in the market for some chilled drinking water. There are three taps on the wall from three different suppliers and you must choose only one. They all look pretty similar, except that one of the taps is gold-plated. Prices are competitive in relation to the water that each tap provides. The gold-plated tap looks nice and shiny, so you choose that one.

You turn the shiny gold tap and find that the water pressure is very low. It takes ages to fill your glass. The water itself, while safe to drink, is slightly warm and tastes a bit strange.

Disappointed, you then turn the next tap. The water pressure is good, but the water looks rusty and smells. You don’t even risk tasting it.

Shaking your head, you turn the last tap. The water flows out at good pace, is cool, looks clear, and tastes fine.

So which tap provides the best value? Most people would agree that it’s the third tap. The first tap looks great and technically meets your needs, but the water it provides and the manner in which it provides, is not really what you wanted. The second tap, while it provides sufficient water, doesn’t really meet the brief at all.  

Only the third tap provides a product that services both your needs and your wants at a competitive price.

Applying this analogy to internal audit

Setting out what makes a good Internal Audit service provider, instead of an average one (or a poor one…) can be difficult. Based on our long experience working with clients across all sectors, we’ve developed a summary of the high-value versus the not so good aspects of internal audit service delivery.

Ineffective IA service deliveryWhy not?
Labour-intensive: Clients do not want to ‘hold the hand’ of the auditor for an extended period.- Time is better spent elsewhere.
- Auditors should be skilled enough to operate independently.
- Auditors should have relevant experience, preferably regarding the subject matter or within the sector.  
Not risk-based: Clients do not want lots of low-risk “housekeeping” audit recommendations.  - Management and the Audit Committee spend a disproportionate time monitoring low-risk actions that do not add much value or mitigate key risks.
- Line management experience audit fatigue as they do not have time to implement change before the next audit.  
Lacking quality: Clients do not want to perform badly against external Quality Assurance Reviews of the Internal Audit function.  - An external review is a requirement of the IA’s International Professional Practice Framework, and is built into public sector policies and procedures.
- Poor performance may lead to reputational damage and create a new suite of tasks to complete.  
Dictatorial: Clients do not want or appreciate an auditor who tells them how to run their business.  - Over-prescriptive audit recommendations that are not fit for purpose or do not engage management.
- A “one-size fits all” or “been there done that” approach does not encourage an understanding of the risks or ownership of internal controls.  
Not inclusive: Clients do not want an auditor who fails to keep the Chief Audit Executive or Project Sponsor in the loop.  - By not keeping the CAE fully apprised throughout the audit undermines the credibility of both the CAE and the audit function overall.
- Audit activity could be driven by service provider preferences rather than organisational needs.  
Passive: Clients do not want an auditor who is not prepared to identify and report bad news.- Auditors need to be frank, and at times, make findings regarding high risks that management might not want to hear / read.  
False economy: Clients do not want auditors who lowball on price so that they can use audit as a ‘loss leader’ to find more lucrative consulting opportunities.  - Service providers might not deliver on the quality audit team promised when the contract was signed, instead sending in “raw” junior staff.
- This can lead to price gouging and a waste of public funds.  
Poor communication: Clients do not want reports that are poorly written, unclear, difficult to understand and easy to ignore.  - Poorly written reports make it hard to gain acceptance of audit findings and the associated recommendations.
- This has the potential to damage the credibility of Internal Audit.

Measuring the value and/or performance of internal audit services

The value and/or performance of internal audit should be regularly monitored and reported. Good metrics for internal audit effectiveness include:

  • Completion of approved audit program
  • Proportion of audit recommendations accepted
  • Level of satisfaction with quality, type and volume of information presented and reported
  • Levels of satisfaction with individual audits, with respect to value add and usefulness of recommendations
  • Proportion of audits completed (to draft report stage) within planned number of days budgeted.

An internal audit service provider should also be the “right fit” for your business. Senior personnel should be qualified, responsive and willing to share their time, experiences and knowledge of better, innovative practice. They should also be attuned to and readily fit in with the prevailing culture of the organisation, whilst sill remaining independent at all times.

Centium's Risk & Assurance team

Centium’s Risk & Assurance team comprises experienced Senior Auditors that understand business and the public sector environment. Each and every member of the team has a proven track record across multiple sectors and jurisdictions. This experience lends itself to our team members being able to make helpful and pragmatic recommendations and suggestions for improvements, based on their extensive learnings across the public and private sectors.

Centium’s Senior Auditors understand risk management, the competing demands on your time and your expectations regarding cost-effectiveness; we always scale and present our audit recommendations in a manner that best suits your business.

Our Auditors perform sufficient testing, maintain good working papers to ensure compliance with the IIA’s Standards and are willing and able to provide them to you on demand. The team writes well and we stand by the quality of our audit reports.

Our Director Risk & Assurance will support and work in partnership with the Chief Audit Executive / Project Sponsor to meet the needs of both the organisation and the Audit Committee.  Our team is professional and can call on broad, collective experience to identify poorly-controlled risks, initiate a call to action, and provide appropriate advice as to how other organisations have addressed similar risks.

Finally, our Risk & Assurance team charges sustainably for their services (an ethical requirement) and provides value for money for both assurance and consulting engagements. We also have a range of discrete, low-cost management tools that help diagnose and assess organisational maturity across a range of risk-based issues.

Contact us

If you have questions or concerns about finding the right internal audit provider, or would like to further discuss Centium’s audit offering, you can contact Director Risk & Assurance, Penny Corkill at penelope.corkill@centium.com.au or 0409 251 011 for a confidential, no obligation conversation.

The PCI Security Standards Council (PCI SSC) published a new version of the PCI Data Security Standard (PCI DSS) on 31st March 2022.

The new standard V4.0 provides a baseline of technical and operational requirements designed to protect payment data and will replace version 3.2.1 to help combat emerging threats and technologies.

The new requirements included in PCI DSS v4.0 are either:

  • Effective immediately for all PCI DSS v4.0 assessments.
    OR
  • Best practices until March 31, 2025, after which they become effective. 

The current version, v3.2.1, will remain active for two years until March 31, 2024. This will provide relevant organisations with time to understand v4.0 and implement the updates. We advise organisations to timely adopt the new PCI DSS 4.0 requirements to protect their payment data.

What are the key changes in Version 4.0?

Three key types of changes are introduced, and they are as follows:

  1. Evolving requirement: Changes to ensure that the standard is up to date with emerging threats and technologies and changes in the payment industry. Examples include new or modified requirements or testing procedures or the removal of a requirement.
  2. Clarification or guidance: Updates to wording, explanation, definition, additional guidance, and/or instruction to increase understanding or provide further information or guidance on a particular topic.
  3. Structure or format: Reorganisation of content, including combining, separating, and renumbering of requirements to align content.

Please view the PCI DSS V4.0 key changes:

How can Centium help your organisation comply?

Our team of PCI DSS experts and specialists have worked with dozens of merchants, service providers, and acquiring banks. We have also mapped all related processes and requirements across the new PCI DSS V4.0.

If your organisation needs a helping hand in complying with PCI DSS V4.0 Standard to increase your security and meet your compliance requirements, our team would be more than happy to discuss how we can help you. You can view further information about our service, team and experience in our Service Capability info sheet.

For more information, please contact Vipan Chauhan, Director Cyber & IT on 0434 896 764 or vipan.chauhan@centium.com.au.

Our thanks to the PCI Security Standards Council for proactively updating PCI DSS requirements and providing us with supporting guidance and a supplemental "At A Glance: PCI DSS V4.0" document to understand the context of these changes. At-A-Glance: PCI DSS v4.0 is provided with permission of PCI Security Standards Council, LLC (“PCI SSC”).  All rights reserved.  Neither PCI SSC nor its licensors endorse this presentation, its provider or the methods, procedures, statements, views, opinions or advice contained herein.  All references to documents, materials or portions or requirements thereof provided by PCI SSC should be read as qualified by the actual materials made available by PCI SSC.  For questions regarding such materials, please contact PCI SSC through its website at https://www.pcisecuritystandards.org.

Over the last few years both State-based and International anti-corruption bodies have been busily dealing with a steady stream of fraud and corruption cases. This has included well-publicised cases involving all levels of Government, as well as organisations across the Not-for-Profit and Private sectors. No industry, occupational group or sector is immune from the threat of fraudulent conduct.

All you need to do is look at recent headlines to see how commonly these cases are being carried out and reported on:

 “Worker sentenced to 30 months’ imprisonment for defrauding $244,000 from the Chris O’Brien Lifehouse, including by changing the bank account details of a cancer patient who died to an account she had access to”

- The Sydney Morning Herald (SMH), 3 March 2022

“Former head of Surf Life Saving NSW will spend at least 19 months behind bars after he defrauded the organisation during eight years at its helm…”

- SMH, 18 February 2022

 “Australia records its worst ever score on anti-corruption index after decline to match Hungary’s”

- The Guardian, 25 January 2022

“Significant corruption allegations and findings within Council revealed.”

- Cairns Post, September 2021

“Council asks corruption watchdog to look into missing $4 million”

- SMH, 15 March 2021

“Council referred to corruption watchdog over defamation legal spend”

- The Brisbane Times, 5 January 2021

Why do some organisations struggle to implement fit for purpose fraud and corruption prevention strategies?

Fraud and corruption prevention is important in every organisation. Whether it be public sector agencies responsible for exercising the business of government, or Not-for-Profits appropriately using grant funding from government, the risks posed by fraud and corruption are simply bad for business. And there’s plenty of these risks: reputational damage, financial loss, legal costs, business disruption, staff turnover, etc.

But when organisations are facing challenges like shrinking budgets and increased service delivery expectations, the importance of fraud and corruption prevention can sometimes be overlooked. It can thus be difficult to determine whether your organisation’s fraud and corruption control system is fit for purpose. This is further exacerbated when changes to working arrangements and loss of long-term staff members lead to the loss of valuable knowledge about an organisation’s fraud and corruption risks and how to control them.

As you are probably aware, an almost bewildering array of written technical resources and standards exist to guide the prevention/detection of fraud and corruption control. However, many existing resources are generic in nature and may not be entirely appropriate for your organisation.

For example, the Australian Standard on Fraud and Corruption Control (i.e. AS8001:2021) runs to more than 50 pages. Small agencies are therefore likely to find it onerous and costly to fully implement. On the other hand, the NSW Audit Office’s Fraud Control Improvement Kit, which breaks fraud (but not corruption) control down into 10 attributes and 38 individual control elements, does not easily align to the Standard.  

There is also a plethora of guidance and compliance requirements for public sector organisations, including Internal Audit, Risk Management, Audit Committees, Cyber security, recordkeeping, information classification and handling, supplier due diligence, and so on and so forth.

The sheer volume of information can be overwhelming – it can be even tougher to independently assess whether your organisation’s fraud and corruption control system is both compliant and fit for purpose.

Ensuring your fraud and corruption prevention is fit-for-purpose

FACET is a Fraud and Corruption Evaluation Tool that, when applied, will provide your organisation with contextual and appropriate advice to ‘correct-size’ your fraud and corruption controls. FACET is specifically designed to measure:

  1. An organisation’s inherent exposure to fraudulent and/or corrupt activity and its sensitivity to that exposure (i.e. how important is managing fraud and corruption to an organisation?)
  2. The maturity of an organisation’s Fraud and Corruption Control System (i.e. is an organisation well placed to manage its fraud and corruption risks?)

FACET has been developed by Centium, using our vast experience and knowledge of fraud prevention, risk management and internal audit.

FACET results, which will be presented in easy to understand graphics for each risk exposure (refer sample below), are not designed to drive you blindly towards best practice regardless of the appropriateness or cost of such an approach. They are designed to help you match the control system to your organisation’s risk profile and resources, i.e. to find a perfect balance between risk and control!

If you would like to know more about FACET or any of our other intelligent fraud and corruption control services (risk assessment & register, audits, etc), please contact Centium’s Director Risk & Assurance, Penny Corkill on 0409 251 011 or penelope.corkill@centium.com.au.

View our range of Risk & Assurance services. Alternatively, talk to us about how we can help.

We all started last year with high hopes, not realising that it would end up being a virtual repeat of 2020. It's taught us to be a little warier. And so, going into 2022, many organisations are feeling more cautious than optimistic.

While hope can push us forward, there is nothing wrong with combining this hope with measured caution. In fact, being prepared for everything - aware of emerging risks and the systems and processes to mitigate them - is one of the best ways to ensure long term success.

At Centium, we've been preparing for 2022. Our team has been reviewing Audit Office reports, scanning the media, researching industry issues, and brainstorming ways in which various sectors can minimise their risks. We have augmented this research by reviewing the audit programs and special audits undertaken within our extensive client base.

As a result of these activities, we are now sharing our research and recent experiences by suggesting which topics and areas will be of most relevance this year when it comes to risk management and internal audit. We’re hoping that this will provide “food for thought” for audit and risk professionals as they prepare and/or recast annual work plans across all levels of Government.

Australian Government

Centium is thrilled to announce that we have recently been appointed to the Australian Government’s Management Advisory Services (MAS) Panel for internal audit services.

Given the election cycle, it is anticipated to be a busy time for Australian Government agencies.  This activity also presents an opportunity for internal audit to review controls associated with high risks, as well as the effectiveness of governance frameworks to ensure agencies remain accountable, impartial and committed to service during any resultant Machinery of Government changes.

Topical suggestions for internal audit include:

1. Grants Administration

Grants programs (and equivalent research and tax incentives) should be robust and demonstrate value for money, particularly given that it is public money. Core to each grants program should be the key principles of transparency, accountability, and probity. Sounds eminently reasonable, yet grants administration has emerged as a substantial reputational risk for Government at all levels. Together with probity advisors, internal audit has an important role to play in providing assurance over grants programs and ensuring the continuous improvement of grants administration.

2. Workforce Planning

With changing working conditions, staff shortages and the impending threat of a ‘great resignation’, agencies remain vulnerable if they have not acted to identify (and regularly review) future staffing and training needs. Several Australian Government agencies have been the subject of workforce planning performance audits, including the Australian Security Intelligence Organisation (ASIO) in 2020-2021. An internal audit would similarly include strategic workforce planning, including:

  • governance
  • systems and processes to analyse and identify gaps
  • the adequacy of strategies to recruit, develop and retain key staff
  • a review of monitoring and reporting arrangements. 

This audit is particularly relevant given the upcoming Federal Government election and anticipated post-election reshuffles.

3. Sustainability and ESG

Sustainable or resilient agencies understand the value of Economic, Social and Governance factors to their stakeholders. The Institute of Internal Auditors (Australia) believes that

“Globally the world is sitting up and taking notice of ESG, not only from the benefits it provides to organisations, investors and stakeholders, but also to the positive impacts experienced by the community, both locally and globally”.

The Institute of Internal Auditors (Australia)

These benefits are similarly applicable to Australian Government agencies and should be subject to transparent reporting about achievements and areas for improvement. Internal audit can provide assurance regarding the efficiency, effectiveness, economy and ethics of agency business activities. Where appropriate, audits would also consider ESG factors for third party suppliers – service delivery through other entities was recently the subject of an Australian National Audit Office Report. See also our suggestions for a separate audit below.

4. Bullying & Harassment Prevention

Recent private sector Executive removals, together with high profile media coverage would appear to (finally!) indicate a decreased tolerance regarding poor and unacceptable workplace behaviour.  All organisations need to ensure that the ‘tone at the top’ is such that a culture of respectful and appropriate behaviour towards employees is fostered and rewarded. It is also critical that employee complaints are taken seriously and quickly acted upon. Internal audits can assess how culture is managed and monitored. It can also provide an independent assessment as to whether an agency has effective practice systems, processes and controls in place to prevent bullying and harassment.

NSW State Government

As the dust settles on another round of Machinery of Government changes, State Government agencies are expected to face pressures managing return-to-work arrangements and increasing scrutiny, all of which will assume increased focus as the March 2023 elections approach.

Based on our research, our suggestions for internal audit hot topics in 2022 are as follows:

1. Third-Party Suppliers

Contracts often form a large part of agency expenditure – yet the inadequate management of third-party suppliers was over-represented in recent Audit Office reports.  Service delivery through other entities was also recently the subject of an Australian National Audit Office Report. A comprehensive audit of third-party supplier offers the opportunity to assess inter-related business activities, from Service Level Agreements (SLAs) and governance, standard contract terms (e.g. ICT controls and business continuity) to contract variations (and possibly procurement processes) and records management and mandatory reporting. The alternative is ongoing inadequate or inconsistent third-party monitoring, which could result in poor performance, increased costs, and reputational damage. 

2. Payroll & Entitlements

Basic payroll and entitlement issues were similarly identified in the Audit Office reports for most clusters. As payroll expenses account for a substantial proportion of the budget (and people are an organisation’s most important asset), it is important to establish and maintain good controls over payroll and entitlements. An audit can walkthrough and test controls over employee Masterfile data, payroll variations, time and attendance procedures, roster management, mandatory superannuation and taxation obligations, etc.  Payroll access should also be regularly audited, as should the segregation of duties between key payroll activities.

3. Ethical Culture

The ethical culture is the character of an organisation; the accepted values, beliefs, behaviours, goals, attitudes, and work practices that underpin organisational decision-making. It is how the people in an organisation approach their work and interact with others to deliver the business of the organisation. An ethical culture has a profound impact on the way organisations do business and is key to minimising reputational risk, with the media quick to jump on those organisations not behaving ethically.

4. Cyber Security

Strong IT controls are critical in protecting an agency’s systems, networks, and programs. Cyber-attacks aim to disrupt/interrupt normal business processes, gain access to information with the aim of stealing, changing, or destroying content and/or extorting money from individuals or organisations. NSW Government agencies are required to assess maturity and report results against the Cyber Security Policy (CSP) and Essential 8 – noting that there are equivalent security policies and standards applicable in other jurisdictions. It is important that an independent, specialist assessment is periodically undertaken to ensure that organisational maturity is not overstated.

5. Governance & Delegations Management

In 2021, the Audit Office of NSW once again found shortcomings relating to basic governance controls. Examples included out-of-date and/or missing policies, poor recordkeeping and document retention, incomplete or inaccurate information registers, and superseded bank signatories. Organisations should regularly review (and audit) their policies, procedures and delegations for adequacy and implementation effectiveness, particularly regarding key business decisions. Such controls underpin effective and efficient organisations and are key to preventing fraud and corruption.

Local Government

It’s been a busy time for Local Government in NSW with recent elections and the induction of new and returned Councillors. There are several key policy changes, either finalised or in draft, all of which have impacts for Council Integrated Planning & Reporting Processes and overall risk management.

In this context, Councils should continue to ensure that their risk management and internal audit activities address new directions, priorities, and emerging risks. Centium’s suggestions for Local Government internal audits include:

1. Asset Management

Given the value and number of Council’s assets (and the complexity of asset categories), it is important that there are sound and robust controls in place around asset management. While external auditors focus on asset valuation, internal audits provide an excellent opportunity to test both a Council’s Asset Management Framework and its practices across nominated asset categories. These categories could include roads, plant and fleet, property, leisure and community facilities, natural environment, waterways, trees, etc.  Asset management audits can also be expanded to include procurement and disposal processes, both of which present a high inherent risk for Councils.

2. IP&R Audits

All councils in NSW use the Integrated Planning & Reporting (IP&R) framework to guide their planning and reporting activities. As part of this process, Councils are required to report on their progress towards achieving the vision outlined in their Community Strategic Plan. It is important that Council deliverables can be validated to ensure transparent reporting to the community on what has been achieved. Internal Audit can independently review performance against deliverables, trends and patterns, and the appropriateness of extant measures and targets.

3. Financial Management & Restricted Reserves

Financial management/investment represents a significant and substantial activity for a Council. An audit of financial management/investment can provide assurance over the effectiveness and appropriateness of the Council’s governance operations. Such an audit can also be expanded to consider the management of a Council’s restricted reserves (e.g. funds limited by legislative, administrative or internal requirements).

4. Cyber Security

Cyber security is an increasing risk for all businesses, including Councils that act as custodians of confidential information and cannot afford to lose time and money due to cyber-attacks. Cyber Security NSW has developed a draft Cyber Security Guideline for Local Government, which has in turn been released by OLG. This guideline is intended to be used by Councils to help increase their cyber maturity. While currently not mandatory to assess and report, there is an opportunity to benchmark maturity and remediate gaps.  Centium’s Cyber Security professionals have worked with several proactive Council’s to conduct Health Checks and develop prioritised improvement plans.

5. Work Health & Safety

The importance of minimising workplace injury and illness cannot be overstated. Employers and businesses have a primary duty of care to their workers and visitors to their workplace, including contractors and volunteers. There are numerous strategies and processes that employers and businesses need to have in place to comply with workplace health and safety legislation. An audit or health check against recognised standards can identify any gaps in compliance, minimise risks and suggest improvements. 

The benefits of an end-to-end, independent Internal Audit approach

We’ve all had enough surprises over the past two years. The right approach to risk management and internal audit can ensure you don’t experience more shocks than you need to in 2022 – plus enable you and your team to be fully prepared and ready to go.

To ensure audits are carried out thoroughly and in accordance with any relevant policies or standards, the importance of an experienced and independent perspective cannot be overlooked. Centium offers independent and practical internal audit services and can provide additional support to improve or adjust any processes or frameworks that aren’t consistent with better practice.

Importantly, our qualified team is committed to creating strong partnerships and building client capacity, improving organisational resilience and facilitating the ownership of outcomes. One of Centium's key differentiators is our approach to risk and assurance projects, including routine and complex reviews. We use proven methodologies and tailor our audit practices to each client, always considering context, geographic and regional issues, operating model, objectives, and challenges.

View our range of Risk & Assurance services. Alternatively, to talk to us about how we can help.

Last Friday, ABC News carried a story about the Board of building materials maker, James Hardie, dismissing its chief executive, Jack Truong. The Board had conducted “extensive due diligence to provide for a sincere change in Mr Truong’s behaviour”, but employees made further complaints about how he treated them. The company shares lost 4.1% on the news of the CEO’s departure.

The Chair of the Board commented that “while the transformation and share price growth that occurred under Mr Truong’s leadership was truly remarkable … Mr Truong’s conduct, while not discriminatory, extensively and materially breached the James Hardie Code of Conduct, and a Board meeting held today resolved to terminate Mr Truong’s employment, effective immediately. The Board took this action to uphold the Company’s core values, including Operating with Respect, and to maintain continuity of the management team that has been instrumental in our transformation”.

We wondered if this damage to the company’s reputation and share price as a result of an alleged misconduct Executive dismissal was an isolated phenomenon.

We found an article written by Amber Shultz in September 2021 that described three instances in 2018 of the ‘exponentially expensive’ effect of allegations about CEOs’ alleged inappropriate behaviour:

  • When model Kate Upton accused Guess co-founder Paul Marciano of harassment over Twitter in February 2018, more than $250 million was wiped off the company’s market value in less than a day.
  • QBE shares dropped by 9.2%between August 20 — when a complaint by a female colleague was lodged against boss Pat Regan — and his dismissal on September 1.
  • Between Boe Pahari’s first day as the boss at AMP Capital, allegations publicised on July 1, and his demotion on August 24, AMP’s share price had plummeted by 23%.

These examples appear to indicate a seachange in which Boards and shareholders are no longer prepared to put up with company executives’ poor behaviour, irrespective of the short to medium term impact it may have on share price and company value.

Plainly, publicly listed and indeed all other organisations need to ensure the ‘tone at the top’ is such that a culture of respectful and appropriate behaviour towards employees is fostered and rewarded. It is also critical that employee complaints are taken seriously and quickly acted upon.

Centium has extensive experience in discretely investigating employee complaints involving CEOs and senior executives. We have also recently developed a cost-effective Health Check that can proactively assess your organisation’s culture and prevention framework as they relate to bullying and harassment.

If you would like to check the health of your organisational culture or have a confidential no-obligation discussion, contact our Director, Ethical Conduct & Investigations, Peter Mulhall, on 0416 161 819 or peter.mulhall@centium.com.au.

Cyber attacks can happen to any business at any time – reports show that in 2021, an Australian business was targeted every 11 seconds. Targets vary from SMEs to large government departments and organisations, and they are increasing in both severity and frequency, with the capacity to cost organisations thousands of hours and millions of dollars.

A Cyber Incident Response Plan enables the timely, consistent, and appropriate response to suspected and confirmed security incidents. An effective Plan will protect information and assets and minimise harm to individuals/entities that may be affected by the incident. 

Such plans are also intended to promote consistency in the way that an organisation prepares for and responds to a security incident, by documenting roles and responsibilities, risk assessment and escalation procedures, and notification requirements.

The following video discusses the benefits of Cyber Incident Response Plans:

The Benefits of Cyber Incident Response Plans

Testing your plan is essential

The fourth annual 2019 benchmark study on Cyber Resilience (conducted by IBM Security and the Ponemon Institute) showed that more than half of organisations with Cybersecurity Incident Response Plans fail to test them. This can leave them less prepared to effectively manage the complex processes and coordination that must take place in the wake of an attack.

Earlier this year, the highly regarded Ponemon Institute released its annual Cost of a Data Breach Report. This year’s report offers insights into cyber breaches from May 2020 to March 2021, alongside recommendations on how to reduce business risk. Within the report there were several key findings, including how testing has played a role in reducing the cost of a data breach:

“Organisations that had formed incident response teams and tested plans experienced data breach costs that were $2.46 million less than their counterparts.”

Now, we are presuming that you have a solid cyber security incident response plan in place, and it’s communicated to all required stakeholders. But does it work in the real world?

To quote Mike Tyson, “Everyone has a plan until they get punched in the mouth.” And when a real cybersecurity incident occurs, the punches will be flying. So, you need to regularly test your cybersecurity incident response plan, along with the capacity of the people and technology that will carry it out to make it more effective.

Picking the Right Incident Response Plan Test

If you're not motivated to do regular testing, others may provide the purpose you need. Major third-party compliance frameworks such as NSW Cyber Security Policy (CSP), MAS TRM, SOC 2 and PCI DSS, for example, require an annual test of your incident response plan, even though they don’t specify an exact testing approach. Your organisation's cybersecurity maturity and risk level may also indicate that you need semi-annual or quarterly tests.

By implementing a regular testing regime your testing will become more effective and you will have more frequent opportunities to identify components of the plan that have gone out of date.

Your customers may have more stringent security contractual requirements than the frameworks about the testing approach. We have seen some companies recently tell potential vendors that their testing process is not rigorous enough. This has resulted in the vendor having to decide whether the contract was valuable enough to justify the time and expense of running a thorough simulation test every year to satisfy and hopefully retain the customer.

The National Institute of Standards and Technology (NIST) Special Publication 800-84 defines two types of exercises and tests:

Exercises

Tabletop Exercise

A tabletop exercise is a discussion-based session where a team discusses their roles and responses during a security incident, walking through one or more example scenarios. The atmosphere is collegial and exploratory. The primary objectives of the tabletop exercise are to:

  • increase security situational awareness;
  • facilitate discussion of appropriate incident responses; and
  • identify gaps and issues in the Incident Response Plan.

In this, a facilitator presents a scenario and asks the exercise participants questions related to the scenario, which initiates a discussion among the participants of roles, responsibilities, coordination, and decision-making. It's only worth starting a tabletop exercise if you already have some form of response plan in place for the scenario you'll be running through. Tabletop exercises are great for testing plans.

Functional Exercise

Functional exercises allow personnel to validate their readiness for emergencies by performing their duties in a simulated environment. These tests not only evaluate what your team would do when confronted with a major incident but also how they would do it. Unlike simulated attacks, which are often still conducted tabletop style, functional exercises are designed to test the roles and responsibilities of specific team members, procedures, and assets involved in one or more practical aspects of a plan (e.g., communications, emergency notifications, IT equipment setup).

Functional exercises vary in complexity and scope, from validating specific elements of a plan to full-scale exercises that address all plan elements. Functional exercises allow staff to execute their roles and responsibilities in an actual emergency situation, albeit in a simulated manner.

Tests

Tests are evaluation tools that use quantifiable metrics to validate the operability of an IT system or system component in an operational environment. A test is conducted in as close to an operational environment as possible.

Tests and exercises vary in complexity and level of effort, with functional exercises and tests providing the highest assurance that incident response plans and procedures would operate as intended during a real incident. Tabletop exercises provide a good mechanism to ensure personnel with incident response duties understand their roles, responsibilities, and procedures.

Incident Response Test

Guideline NIST SP 800-61 establishes the incident response life cycle, summarised in the table below. The incident response life cycle should be the basis of the organisation’s incident response policy and procedures, and the policy and procedures should be built to include activities performed at each stage of the life cycle.

IR Lifecycle StageSummary of Incident Activities
Preparation1. Provide training and awareness for all individuals in recognising anomalous behaviour and specific reporting requirements for suspected breaches
2. Gather contact information for incident handlers
3. Gather hardware and software needed for technical analysis; and
4. Perform evaluations, such as tabletop exercises, of the Incident Response (IR) capability.
Detection & Analysis1. Monitor information system protection mechanisms and system logs
2. Investigate reports of suspected breaches
3. Notify Authorities
Containment1. Choose and implement strategy for preventing further loss based on level of risk
2. Gather and preserve technical evidence, if applicable
Eradication1. Eliminate components of the incident, such as deleting malicious code and disabling breached user accounts, if applicable.
Recovery1. Restore systems via appropriate technical actions such as: restoring from clean backups, rebuilding systems from scratch, replacing compromised files with clean versions, installing patches, changing passwords, and tightening network perimeter security.
Table 1: Incident Response Lifecycle

Organisations should develop test and exercise material to guide the execution of the test, including a test scenario for a hypothetical breach. The table below provides some example scenarios that can be tailored to meet organisation needs:

Breach ScenarioTabletop Exercise Objectives
Through a routine evaluation of system logs, a system administrator discovers that data has been exfiltrated from the system by an unauthorised user account.1. Determine the actions that would help prevent this type of incident (preparation).

2. Determine the controls in place that would help identify this incident, along with procedures on how to report the incident (detection and analysis).

A remote user has lost his/her laptop. The user’s job function required that organisation data be stored on the laptop.
3. How to prevent further damage (containment),

4. How to clean the system (eradication
After a recent office move, it is discovered that a locked cabinet containing sensitive data is missing. 5. How to restore the system in a secure manner (recovery).
Table 2: Sample Incident Response Evaluation Scenarios

Evaluating your testing exercise

Evaluating the exercise is a critical step to ensuring success of the incident response program. After the test or exercise is complete, the participants should conduct a debriefing to discuss observations for things that worked well and things that could be improved.

The comments and issues that emerge during the debriefing, along with lessons learned documented by the data collector during the exercise, should be captured in the Post Action Report (PAR). The PAR should also document observations made throughout the exercise and participants during the exercise and recommendations for enhancing the IR plan that was exercised.

In general, IR tests and exercises should:

  • Be organised, facilitated undertakings
  • Leverage the facilitator’s guides, participants guide, and PAR templates given in NIST SP 800-84
  • Include individuals with incident response responsibilities, such as business/mission owners, IT management, technical points of contact
  • Include simulating contact to the APRA or OAIC or Authority, or a test contact
  • Test contacts to APRA and the OAIC should be clearly identified as an exercise or test upon contact in all conversations and written submissions
  • Produce documentation that serve as verifiable evidence the exercise took place
  • Produce documentation that captures the actions necessary to identify, report, contain, and remediate the incident at each stage of the incident response lifecycle
  • Produce a PAR describing operational gaps and plans to mitigate those gaps. incident response plans, policies, and procedures need to be updated with results from the PAR

You should regularly review and update the incident response plan (including threat specific plans) and practice them regularly.

Support from security specialists

Centium has extensive experience partnering with clients to raise cyber security awareness, identify and manage cyber and IT risks, and build resilience. Our cybersecurity professionals are highly skilled at translating technical concepts into practical plans and procedures. 

We also have a proven track record creating robust incident response plans (including threat specific playbooks) and facilitating scenario tests that enable organisations to realise and address gaps in existing planning documents quickly.

Our approach allows your staff to actively participate in facilitated scenarios and role plays, while we independently observe proceedings. At the end of the workshop, we will debrief with the team, and provide a report on our findings and opportunities for improvement.

Contact our Director, Cyber, IT & Business Continuity for a no-obligation discussion on 0434 896 764 or vipan.chauhan@centium.com.au. Alternatively, browse Centium's range of Cyber, IT & Business Continuity services.  

Our Clients

Top