The festive season has arrived: end of year celebrations, lunches, dinners, drinks, gifts. Can you have it all?
Navigating professional relationships and managing conflict of interest, particularly in the public sector, is paramount. Receiving and giving gifts and benefits is a common practice at this time of year, and its intersection with probity issues is of relevant importance.
Probity matters that might arise within this context are:
Gifts and benefits policies offer great guidance to staff and stakeholders in relation to the ethical matters to consider in a professional setting, serving as a shield against improper behaviour. The key components of an effective gifts and benefits policy include:
Integrating probity principles into your Gifts & Benefits Policy supports ethical and robust decision making.
Does your organisation have a Gifts & Benefits Policy? Is it customized to your work environment and cover all potential scenarios?
If you would like to explore how Centium can help your organisation enhance its probity posture, please reach out to Joan Cavalieri, Director Probity & Ethics on Email: joan.cavalieri@centium.com.au.
It’s not uncommon, at the end of a Cyber Audit Cycle, for organisations to be hit with below than expected audit outcomes and maturity levels. At that point, the audit's outcome is locked in, and there is no possible recourse.
This isn’t a good situation for an organisation to be in. A poor cyber audit outcome can have several negative consequences for organisations, including financial penalties, higher operational costs, compromise of confidentiality, integrity and availability of critical assets, and a loss of trust and reputation from clients and the public.
That’s why, when it comes to Cyber security compliance audits, the heavy lifting should not be left to the end.
This can all be avoided with a more proactive approach. In most situations, a timely mock audit can help in identifying shortcomings that, when addressed, can substantially improve an audit outcome.
The mock audit is much like an actual audit, whereby the applied methodologies, standards and recommendations reflect the actual audit. Therefore, it unfurls the enigma of a review by identifying compliance gaps and areas requiring improvement and suggesting corrective actions you need to take to succeed in the audit.
This type of proactive planning has many benefits, such as:
All these benefits enable you to avoid costly fines and penalties, while enhancing stakeholders' trust and reputation in your organisation.
A mock audit is particularly valuable if your organisation has never been examined, as there may be significant gaps and deficiencies that have not been discovered yet. Even if your organisation has already been examined, a mock audit is worth considering as there may have been significant changes in your business, such as new services or other internal and external rules and regulations, since your last audit.
An independent, competent, and qualified third-party consultant will bring a fresh perspective and assist in identifying gaps you might not even know existed.
Centium is an agile management consulting firm that specialises in minimising risk for government organisations. A large part of that is providing independent IT and Cyber Security services that add value and mitigate risks.
We specialise in audit services and can undertake a Cyber Security Mock Audit against your cyber security requirements, such as the NSW Cyber Security Policy, the ACSC Essential 8, NIST, PCI DSS, SOC1/ISAE3402, SOC2 or ISO27001. We can also follow up with a (cost-effective) formal audit within the defined timelines, ensuring higher audit compliance ratings along with significant time and cost savings.
For more information about how this approach can add value to your Organisations' Cyber security efforts, please contact our Director, Cyber & IT, for a no-obligation discussion on 0412 562 797 or scott.thomson@centium.com.au. Alternatively, browse Centium's range of Cyber & IM services.
If you're a government or not-for-profit organisation that has an interest in our services, you can reach out to us at info@centium.com.au to discuss your needs, or to find out more about how our alliance could benefit you.
Centium has applied its many decades of combined auditing experience with the requirements and guidelines of Federal, State and Local Governments to develop an innovative and comprehensive risk maturity model over procurement and contract management.
Centium is now using this model to sharpen its auditing practices and to provide sound and targeted advice to organisations seeking to further improve the effectiveness of their procurements and to better safeguard against fraud and corruption.
The maturity model is a living example of Centium’s innovative and customer-centred approach to helping organisations better manage their risks. A snapshot of the model is copied below:
If you are interested in hearing more about the model, or in engaging Centium to review your procurement and contract management controls, contact Penny Corkill:
Honesty, fairness, impartiality, transparency, and accountability are paramount principles to ensure the probity of process and robust decision-making. Government organisations and staff are trustees of the public interests and money; hence they should be the moral exemplar, held to the highest standards, and have a duty to uphold the values, act with transparency, and accountability, and achieve the best value for money.
Society’s ethical expectations are higher than ever, and doing the right thing is critical to building, maintaining, and fostering a healthy culture, trust, and reputation. It ensures robust and good decision-making, sustainable outcomes, and the best and most efficient allocation of resources.
In upholding integrity and probity, public employees must comply with their public duties whilst ensuring their personal and professional relationships and interests, including indirect interests such as those of their friends and family, do not present a conflict. In upholding integrity and probity, all parties, especially those in senior positions, must set the tone and base their decision on legislation, policies, and ethics.
Robust frameworks and education are paramount to ensure compliance with one’s obligations and ensure accountability of those who fail to observe their duties - intentionally or not. Communication and training are the starting point for providing stakeholders with a clear outline of their roles and responsibilities relating to conflict of interest, record management, transparency, supervision, and accountability.
Recent cases illustrate the consequences of failing to have, implement and or comply with framework and standards:
Sydney Metro
The use and management of some consulting services by Sydney Metro is currently under review by a Parliamentary Inquiry. Sydney Metro is under scrutiny for awarding contracts worth millions of dollars to companies whose Directors were also executives at the organisation. Questions about Sydney Metro mismanagement of conflict of interest have been raised during the inquiry:
“Given that you had [employee] sitting within Sydney Metro for ... almost ten years and he is also the Managing Director of [advisory company], what steps did Metro take to make sure the information he was privy to at Sydney Metro was not then used to benefit [advisory company] Bellgrove Advisory in relation to these contracts?
What steps does Metro take to ensure the information obtained by these consultations or contractors sitting within Metro is not then taken and misused in order to benefit their company by getting more work
out of Metro?[1]”.
It is alleged that that consulting firms with links to Sydney Metro executives were awarded contracts estimated worth of $13 million.
NDIA and Synergy360
The procurement and use of consulting firms by Services Australia and the NDIA was referred to the National Anti-Corruption Commission (NACC) for investigation. The recommendation is based on allegations relating to improper relationships and undisclosed conflict of interest and financial misconduct.
A total of 19 contracts amounting to approximately $374 million are at the heart of the allegations of undisclosed conflict of interests by APS executives and suppliers, and inadequate record keeping.
The investigation noted that Mr Stuart Robert, former NDIA Minister, met several times with suppliers during the tender processes. There were no probity advisors or other public servants at those meetings, there were no notes or records of the discussions. The supplier paid significant funds to a consultancy company, in which the Minister and his friend allegedly would have pecuniary interests in and benefited from.
Both cases are recent and follow many others where staff in government agencies failed to comply with established the probity principles, commonly through mismanagement or nondisclosed conflict of interests. This has resulted in significant reputational damage and loss of public confidence.
“failure to declare or properly manage any conflict of interest”[2]; “undisclosed personal relationship[3]”; “inadequate responses to reported conflict of interests[4]”; “falsely declared that [they] had no actual, perceive of potential conflict of interest”[5]; “failure to declare [their] interest in real property[6]”, “failure to make a number of pecuniary interests disclosure[7]”.
Same narrative, different characters - repeatedly. It raises the question: What is the root cause? Generally, the failure to have, maintain, and implement robust probity frameworks and poor organisational culture are at the centre of it. The fix?
Live and breathe probity:
Fairness and lack of bias
Transparency and accountability
Confidentiality and security
Value for money
Audit trail
Failure to adhere to probity principles erodes public trust.
2. Good Governance
Compliance with policies and procedures.
Having policies and procedures in place alone is not sufficient. They need to be applicable, relevant and current to the public organisation. Effectively communicating policies and procedures to all staff and ensuring their compliance is imperative.
3. Tone from the Top
An effective the tone from the up is key to ensuring healthy organisational culture. It leads compliance, sets the standard , serves as a moral example and reinforces that undesirable behaviours are unwelcome. It fosters a safe environment whereby people feel free to speak up. Leadership is paramount to ethical culture.
4. Probity Awareness
Government staff must be aware of their roles, responsibilities, and probity principles. They should live and breathe probity in their day-to-day roles. Probity awareness training is vital. Training and education should be continuous.
5. Probity by Design
A robust probity framework designed to meet the public sector organisation’ needs, appetite, and profile will enable the organisation to meet its objectives. Probity is an enabler: it supports the operations and decision-making processes. It produces robust and defensible outcomes. It enhances reputation and community trust levels.
6. Conflict of Interests
Most organisations have a conflict of interest policy in place, yet most policies fail to address full gamut of the risks most organisations face. A conflict of interest policy must have a fit for purpose definition of ‘conflict’, and assist with COI risk assessment and available management strategies. It should also provide that conflict of interests’ declarations should be current and revisited. See here for more information about how to enhance your Conflict of Interests Policies.
7. Confidentiality
Confidentiality of information, particularly in procurement, is crucial to ensure the fairness and equity of major procurement and grants processes. Confidentiality Deeds and policies are effective tools, particularly when managing conflict of interests.
8. Guidelines and Protocols
Guidelines and protocols should be available to provide staff and stakeholders with directions and instructions on how to exercise their role whilst ensuring compliance with the probity principles. These should be part of the probity framework and tailored to the organisation. Protocols and guidelines may cover topics like communication, negotiations, conflict of interest management and any other relevant area.
9. Record Keeping
Recording all activities and decisions made throughout the tendering of grant processes is crucial. Good record keeping is good governance. Communications, including emails and notes of oral conversations should be documented. Notes and minutes of meetings should be taken and kept. It ensures accountability, transparency and support a defensible outcome. It allows an effective audit trail.
10. Reporting Channels
Public sector organisations must have reporting internal channels available and encourage staff and stakeholders to report issues. There should be clear process for the reporting of suspected misconduct , including relevant protections as provided at law, e.g., whistleblower protections and the Public Interest Disclosure Act. See here for further information about Whistleblower disclosures.
If you would like to explore how Centium can help your organisation enhance its probity posture, please do reach out to Joan Cavalieri, Director Probity & Ethics on Email: joan.cavalieri@centium.com.au.
Footnotes:
[1] Public Accountability and Works Committee, NSW Government’s Use and Management of Consulting Services 5 September 2023 – 915am.
[2] ICAC – Operation Galley
[3] ICAC – Operation Keppel
[4] ICAC – Operation Keppel
[5] ICAC – Operation Ember
[6] ICAC – Operation Witney
[7] ICAC – Operation Witney
As expectations for transparent environmental, social, and governance (ESG) reporting continue to increase across all sectors, stakeholders expect to see better management of carbon emissions, diversity, human rights, corruption, and bribery. We’re now witnessing cyber security rapidly rising to the top of the ESG material topic list for both Boards and Government leaders.
In fact, in a recent survey, cyber security was ranked by 67% of respondents as their top concern1 and is becoming one of the most financially material ESG risks that an organisation may face.
Cyber-attacks and data breaches, similar to those experienced by Optus and Medibank, are increasing in frequency and severity. As the volume of attacks and breaches rises, the financial impact is heightened. A cyber-crime is reported to the Australian Cyber Security Centre every seven minutes, with an average loss of $88,407 for medium-sized businesses2.
But cyber-crimes inflict more than financial loss – they cause reputational damage, loss of data, and significant business disruption. In fact, for many small organisations, a cyber security incident could be terminal once the trust of its customers is lost.
ReGen Strategic (ReGen) is an ESG Advisory whose purpose is to enable projects and services that have a positive social and environmental impact. ReGen has identified cyber security as such a critical issue that it has entered into a strategic partnership with Centium, based on our strong record of helping organisations identify and manage their cyber security risks. We believe that this partnership represents great opportunities for ReGen clients through access to Centium’s experience and expertise.
Cyber security should not be mistaken as a new term for IT or digital, it is about identifying and managing the risks to the confidentiality, integrity, and availability of your data, information, and systems. These are business risks that require proactive governance from the business and should form an integral part of ESG strategy.
Cyber security risks are considered throughout ReGen’s sustainability and ESG services, and are included as an integral part of their ESG maturity assessments, materiality assessments, strategies and reporting.
Many organisations are now disclosing cybersecurity as a material risk in their sustainability reports and annual reports, providing detailed narratives on their mitigation techniques. This also means adjusting their financial investment forecasts and budget accordingly.
ReGen’s ESG maturity assessment plays a key role in enabling organisations to align operations with international frameworks and standards, enhance stakeholder trust and confidence, mitigate risks (including cyber security), and unlock opportunities for long-term value creation.
Organisations demonstrating more advanced ESG maturity in the realm of cyber security point to formalised governance and defined roles such as data owner, data steward and data custodian (often the IT department). The data owner is aware of both the risks and threats that exist and the controls in place to reduce these to an acceptable level (risk appetite).
In the near future, we expect insurance premiums to be determined by the levels of maturity a business has in place to manage its cyber security risks. For those with little in place, higher premiums will be sure to follow. Models such as the Factor Analysis in Information Risk (FAIR) deliver both qualitative and quantitative analysis of risks and provide an excellent basis for engaging business executives in the meaningful evaluation of the risks and effectiveness of controls.
We believe that Cyber Security is such an integral component of ESG that we are running a special three-part series to explore this critical topic. In upcoming parts of this series, we will explore the key first steps in being more secure, applicable benchmarks and standards, where to start, and where to access free resources. We will close the series with an examination of the supply chain and how to be a trusted supplier to win and maintain business.
*Expert guidance is provided from Scott Thomson, Centium and Colin Davies, ReGen Strategic.
If you would like to explore how Centium can help your organisation be digital and cyber resilient, whilst driving sustainable growth, please reach out to Scott Thomson, Director of Cyber & IT at scott.thomson@centium.com.au.
Mishandling complaints and allegations, particularly whistleblower disclosures, can harm the individuals involved in them and damage your organisation’s reputation.
Organisations may also be subject to financial penalties of up to 10% of turnover (capped at $125M), with individual staff being liable to fines of up to $3.15M.
Most of the avoidable mistakes occur in the initial stage of assessing complaints and disclosures made under whistleblower legislation. Here are some best practice steps you should take to avoid the pitfalls.
Centium’s team of 12 senior Investigators (including the former NSW Deputy Ombudsman) has extensive experience in undertaking confidential and sensitive assessments, reviews and investigations resulting from employee complaints and disclosures that relate to alleged workplace misconduct.
As a result of this collective experience, we are well qualified to guide you through all phases of the complaint handling process. We can also provide training for your internal complaint handlers and investigators.
To discuss your investigation needs, browse Centium's Ethical Conduct & Investigations services. Additionally, for more information about how our learning and development solutions can meet your unique needs and circumstances, please contact us or check out our Learning and Development services.
Unfortunately, another NSW politician was recently asked to step down from the Ministry and referred to ICAC. Allegations suggest he breached his Code of Conduct and its conflict of interest provisions. This incident comes only a month after ICAC’s Operation Keppel uncovered seriously corrupt conduct by the former NSW Premier Gladys Berejiklian. She failed to disclose personal interests that could have influenced the performance of her public duty.
In response to the risks identified during their investigation, Operation Keppel has proposed some corruption prevention recommendations as identified in the ICAC investigation. The first two recommendations are as follows:
Centium plans to include these highly relevant and appropriate principles of public life in our Code of Conduct training program for both elected and professional individuals working in NSW state and local governments:
At Centium, our training programs use practical and engaging scenarios to help participants understand and recognise potential conflicts of interest. Here are some examples of scenarios:
Council is considering nominating community members to an advisory panel. One of the candidates contributed $2000 in June 2021 to your last political campaign. Do you have a conflict of interest? If so, what type?
A friend you have known for eight years through your previous workplace recently becomes a supplier to your Workplace. They send you a bunch of flowers to your home. What should you do?
Council is considering a draft Local Environmental Plan. You live in the LGA. Do you have a conflict? If so, what type? What about if you also own three investment properties in the LGA? Do you need to make a disclosure?
If you would like to explore how Centium’s Learning and Development specialists can ensure that your staff and elected members understand how to identify and declare conflicts of interest under your Code of Conduct, please reach out to Sarah Artist, our Senior Manager at sarah.artist@centium.com.au.
Centium has recently been engaged by several NSW Councils to evaluate whether legislative requirements are addressed in their Integrated Planning and Reporting (IP&R) documents.
These evaluation assessments are timely considering that councils are starting to prepare for the next IP&R cycle and provide councils with an opportunity to reflect on and assess their current suite of documents prior to their review for the September 2024 elections.
The Scope of our value-adding, maturity assessments is to evaluate whether IP&R processes are managed efficiently and accurately and for the benefit of Council and the community.
Our methodology involves an assessment against the Integrated Planning & Reporting Handbook (Office of Local Government, 2021) standards, which includes a checklist for councils in preparing their IP&R documents.
We assess the maturity of each of our clients’ IP&R elements against the Handbook (i.e. good, better, best).
As our portfolio of engagements builds, we would now offer some reflections on the maturity of each IP&R element (noting of course that every council is different!).
Firstly, while the preparation of the overarching 10 year, four year and one year corporate documents are on the whole adequately resourced within councils, the individual elements of the Resourcing Strategy (e.g. Asset Plans, Budgets and Workforce Plans) are often developed in isolation and not well-aligned with other key corporate documents.
For example:
| Long-Term Financial Plan | Key workforce management strategies are not always reflected in the Delivery Program. Would benefit from a detailed review of labour needs and gap analysis Costs associated with delivering the Workforce Management Strategy not reflected in the Long Term Financial Plan. Not always well aligned and often requires more consultation. |
| Workforce Management Planning | Asset registers and condition information are not up-to-date and regularly reviewed. Asset management plans are outdated. |
| Asset Management Strategy & Plans | Asset registers and condition information are not up-to-date and regularly reviewed. Asset management plans are outdated. |
All of our recommendations are first shared with council’s management team prior to finalising, and by presenting our agreed recommendations to the Audit, Risk and Improvement Committee we raise awareness and facilitate consideration of resourcing and timing issues.
In all cases, we have appropriately shared better practices and case studies to assist councils to build capacity and inform planning of IP&R processes for the next cycle. We have also supported the resolution of complex integration and alignment issues by facilitating workshops with Executive teams as and when requested.
Centium’s integrity, independence, and extensive experience in providing risk and assurance services to a wide range of private and public sector organisations contributes to ensuring that our views are objective, and our analysis is sound and evidence based.
For further information on the IP&R Internal Audits, please contact Penny Corkill, Director Risk & Assurance on +61 0409 251 011 or email Penelope.Corkill@centium.com.au.
Cyber attacks can happen to any business at any time – reports show that in 2022, a cyber crime was reported every seven minutes. Targets vary from SMEs to large government departments and organisations, and they are increasing in both severity and frequency, with the capacity to cost organisations thousands of hours and millions of dollars. The average cost per incident for medium business was $88,000.
A Cyber Incident Response Plan enables the timely, consistent, and appropriate response to suspected and confirmed security incidents. An effective Plan will protect information and assets and minimise harm to individuals/entities that may be affected by the incident.
Such plans are also intended to promote consistency in the way that an organisation prepares for and responds to a security incident, by documenting roles and responsibilities, risk assessment and escalation procedures, and notification requirements.
The following video discusses the benefits of Cyber Incident Response Plans:
The sixth annual Cyber Resilient Organization Study (conducted by IBM Security and the Ponemon Institute) showed that more than half of organisations with Cybersecurity Incident Response Plans fail to test them or had no timeframe set for testing. This can leave them less prepared to effectively manage the complex processes and coordination that must take place in the wake of an attack.
Earlier this year, the highly regarded Ponemon Institute released its annual Cost of a Data Breach Report. This year’s report offers insights into cyber breaches from March 2022 and March 2023, alongside recommendations on how to reduce business risk. Within the report there were several key findings, including how testing has played a role in reducing the cost of a data breach:
“Organizations with both an IR [Incident Response] team and IR plan testing identified breaches 54 days faster than those with neither..”
Now, we are presuming that you have a solid cyber security incident response plan in place, and it’s communicated to all required stakeholders. But does it work in the real world?
To quote Mike Tyson, “Everyone has a plan until they get punched in the mouth.” And when a real cybersecurity incident occurs, the punches will be flying. So, you need to regularly test your cybersecurity incident response plan, along with the capacity of the people and technology that will carry it out to make it more effective.
If you're not motivated to do regular testing, others may provide the purpose you need. Major third-party compliance frameworks such as NSW Cyber Security Policy (CSP), MAS TRM, SOC 2 and PCI DSS, for example, require an annual test of your incident response plan, even though they don’t specify an exact testing approach. Your organisation's cybersecurity maturity and risk level may also indicate that you need semi-annual or quarterly tests.
By implementing a regular testing regime your testing will become more effective and you will have more frequent opportunities to identify components of the plan that have gone out of date.
Your customers may have more stringent security contractual requirements than the frameworks about the testing approach. We have seen some companies recently tell potential vendors that their testing process is not rigorous enough. This has resulted in the vendor having to decide whether the contract was valuable enough to justify the time and expense of running a thorough simulation test every year to satisfy and hopefully retain the customer.
A tabletop exercise is a discussion-based session where a team discusses their roles and responses during a security incident, walking through one or more example scenarios. The atmosphere is collegial and exploratory. The primary objectives of the tabletop exercise are to:
In this, a facilitator presents a scenario and asks the exercise participants questions related to the scenario, which initiates a discussion among the participants of roles, responsibilities, coordination, and decision-making. It's only worth starting a tabletop exercise if you already have some form of response plan in place for the scenario you'll be running through. Tabletop exercises are great for testing plans.
Functional exercises allow personnel to validate their readiness for emergencies by performing their duties in a simulated environment. These tests not only evaluate what your team would do when confronted with a major incident but also how they would do it. Unlike simulated attacks, which are often still conducted tabletop style, functional exercises are designed to test the roles and responsibilities of specific team members, procedures, and assets involved in one or more practical aspects of a plan (e.g., communications, emergency notifications, IT equipment setup).
Functional exercises vary in complexity and scope, from validating specific elements of a plan to full-scale exercises that address all plan elements. Functional exercises allow staff to execute their roles and responsibilities in an actual emergency situation, albeit in a simulated manner.
Tests are evaluation tools that use quantifiable metrics to validate the operability of an IT system or system component in an operational environment. A test is conducted in as close to an operational environment as possible.
Tests and exercises vary in complexity and level of effort, with functional exercises and tests providing the highest assurance that incident response plans and procedures would operate as intended during a real incident. Tabletop exercises provide a good mechanism to ensure personnel with incident response duties understand their roles, responsibilities, and procedures.
Guideline NIST SP 800-61 establishes the incident response life cycle, summarised in the table below. The incident response life cycle should be the basis of the organisation’s incident response policy and procedures, and the policy and procedures should be built to include activities performed at each stage of the life cycle.
| IR Lifecycle Stage | Summary of Incident Activities |
| Preparation | 1. Provide training and awareness for all individuals in recognising anomalous behaviour and specific reporting requirements for suspected breaches 2. Gather contact information for incident handlers 3. Gather hardware and software needed for technical analysis; and 4. Perform evaluations, such as tabletop exercises, of the Incident Response (IR) capability. |
| Detection & Analysis | 1. Monitor information system protection mechanisms and system logs 2. Investigate reports of suspected breaches 3. Notify Authorities |
| Containment | 1. Choose and implement strategy for preventing further loss based on level of risk 2. Gather and preserve technical evidence, if applicable |
| Eradication | 1. Eliminate components of the incident, such as deleting malicious code and disabling breached user accounts, if applicable. |
| Recovery | 1. Restore systems via appropriate technical actions such as: restoring from clean backups, rebuilding systems from scratch, replacing compromised files with clean versions, installing patches, changing passwords, and tightening network perimeter security. |
Organisations should develop test and exercise material to guide the execution of the test, including a test scenario for a hypothetical breach. The table below provides some example scenarios that can be tailored to meet organisation needs:
| Breach Scenario | Tabletop Exercise Objectives |
| Through a routine evaluation of system logs, a system administrator discovers that data has been exfiltrated from the system by an unauthorised user account. | 1. Determine the actions that would help prevent this type of incident (preparation). 2. Determine the controls in place that would help identify this incident, along with procedures on how to report the incident (detection and analysis). |
A remote user has lost his/her laptop. The user’s job function required that organisation data be stored on the laptop. | 3. How to prevent further damage (containment), 4. How to clean the system (eradication |
| After a recent office move, it is discovered that a locked cabinet containing sensitive data is missing. | 5. How to restore the system in a secure manner (recovery). |
Evaluating the exercise is a critical step to ensuring success of the incident response program. After the test or exercise is complete, the participants should conduct a debriefing to discuss observations for things that worked well and things that could be improved.
The comments and issues that emerge during the debriefing, along with lessons learned documented by the data collector during the exercise, should be captured in the Post Action Report (PAR). The PAR should also document observations made throughout the exercise and participants during the exercise and recommendations for enhancing the IR plan that was exercised.
In general, IR tests and exercises should:
You should regularly review and update the incident response plan (including threat specific plans) and practice them regularly.
Centium has extensive experience partnering with clients to raise cyber security awareness, identify and manage cyber and IT risks, and build resilience. Our cybersecurity professionals are highly skilled at translating technical concepts into practical plans and procedures.
We also have a proven track record creating robust incident response plans (including threat specific playbooks) and facilitating scenario tests that enable organisations to realise and address gaps in existing planning documents quickly.
Our approach allows your staff to actively participate in facilitated scenarios and role plays, while we independently observe proceedings. At the end of the workshop, we will debrief with the team, and provide a report on our findings and opportunities for improvement.
Contact our Director, Cyber, & Information Management for a no-obligation discussion on 0412 562797 or Scott.Thomson@centium.com.au. Alternatively, browse Centium's range of Cyber & Information Management services.
Well, who would have thought that one of the major international talking points this past week (at least amongst the world’s cricket playing nations) would be on the interpretation of Law 38 of the Laws of Cricket!!
The stumping of England batsman Johnny Bairstow and the subsequent furore regarding perceived poor sportsmanship and allegations of “not being in the spirit of the game” have reached into the hallowed Lords Members Stand and the front and sporting pages of hundreds of publications around the world. Even Prime Ministers Rishi Sunak and Anthony Albanese have joined the commentary, which to my recollection is the first time cricket has been elevated to this level since the Bodyline series of the 1930’s.
While the umpires have ruled that the dismissal was entirely within the rules of the game, various sporting dignitaries past and present have expressed the opinion that at times such Laws need to be flexibly applied, including the provision for the fielding captain to have a veto power to reverse invoking such Laws (by withdrawing an appeal).
You may be wondering what is the relevance of this sporting controversy, and how it translates to our workplace? All of us, especially those who work within the Public Sector, operate in organisations whose mandates and operations are governed by a fairly rigid framework of legislation, policies, procedures, rules and guidelines. Such a framework is essential to ensure transparency, accountability, effective use of public monies and acceptable behaviour by staff members, while ensuring the objectives of the organisation are being realised.
However, there are times when emerging issues, human behaviour and/or a lack of precedent places delegated decision makers in the difficult position of having to make a choice between inflexibly applying the “letter of the law”, or adopting a more pragmatic approach to addressing a particular issue.
A classic example of this was the very effective manner in which most organisations responded to the Covid pandemic, whereby innovative flexible working arrangements and service delivery approaches were rapidly adopted by management and staff, notwithstanding they may have not been consistent with prevailing Industrial Relations rules and policies. In relation to business continuity and the provision of ongoing quality services to the clients of such organisations, previously unheard of flexible service delivery arrangements were agreed upon by all parties and rapidly implemented.
Another example was the morphing of the fieldwork components of internal audit and risk management reviews from previously being almost entirely on-site to the current, more cost-effective and equally compliant hybrid of remote and onsite components. This hybrid model has proven to be so successful that it is expected to continue well beyond covid.
While governing Legislation and related Departmental Policies must be respected and religiously complied with, recent occurrences have shown there is still scope for flexibility to apply practical and client-centric interpretation of the procedures related to such governance frameworks. When exercising this flexibility it is important to be totally transparent, ensure all key stakeholders are involved and fully informed and that all key decisions and supporting documents are documented and securely stored.
Because after all, no one wants to be caught out or bowled over by an unexpected googly!!
If you would like to explore how Centium’s assurance and transformation specialists can help your organisation flexibly manage the unexpected during periods of change, please contact: Phil O’Toole, Managing Director at phil.otoole@centium.com.au.
The NSW Audit Office recently released its 2022 report on local government and highlighted many areas of improvement required of local governments. The audits revealed that 47% of councils lacked a cyber security plan, leaving their data and assets vulnerable. Additionally, deficiencies were found in crucial areas such as policies, procedures, privileged access management, and internal controls. The report warns of potential consequences, including data destruction, theft, denial of service(s), and the financial impacts of repairing affected systems, networks, or devices. Establishing a solid foundation for cyber security requires implementing controls outlined in the NSW Office of Local Government Cyber Security Guideline, as well as technical controls provided by the Australian Cyber Security Centre and their Essential Eight controls.
The significance of cyber security is increasing as a threat and cannot be underestimated, affecting all organisations, including local government. Data from the Australia Cyber Security Centre indicates that the average cost of a cyber security incident for medium-sized organisations exceeds $80,000 per incident. Safeguarding the confidentiality, integrity, and availability of data and systems is crucial in mitigating both external threats and internal vulnerabilities caused by poor practices and processes. The initial steps to address this issue involve developing a robust cyber security plan and implementing a comprehensive cyber security framework, complete with policies and procedures. These measures help establish clear roles and responsibilities throughout the organisation. Supporting these efforts with regular cyber security training and awareness programs for all staff is essential. Testing incident response plans and conducting simulations of cyber-attacks through techniques like penetration testing and phishing simulations are effective ways of ensuring that plans and playbooks are thorough and well-practiced for when they are really needed.
Over the past two years, Centium has conducted health checks and audits on cyber security for more than a dozen councils. As a result, we have gained valuable insights into the level of maturity of these councils in relation to the Office of Local Governments Cyber Security Guidelines. Through this work, we are able to offer our clients benchmark data, enabling them to better understand their level of maturity in comparison to the guidelines set by the State of NSW. However, it is important to emphasise that the goal should not simply be to achieve the highest level of maturity across the State, but rather to effectively manage the specific risks and threats each Council faces.
We also stress to our clients that building and implementing their cyber security plan is a multi-year journey that requires engagement from all aspects of the organisation. It should not be seen as solely an issue for the IT department or systems. Robust training and awareness programs are necessary to foster a shift change in the culture within councils to identify and manage cyber security risks as part of day-to-day operations.
The approach taken to identify and manage cyber security risks should be consistent with the council’s enterprise risk management framework. Special attention should be given to ensuring that the risk analysis accurately reflects the likelihood and consequences of cyber threats. This may entail a review of their broader risk management framework for some councils. At the very least, it provides an opportunity for councils to refresh their risk registers and ensure they reflect all current and emerging risks.
We look forward to opportunities to work with more councils and assist them in understanding their current cyber security posture. Our expertise can help identify areas where improvement is needed and provide recommendations to enhance your Cyber Security maturity, security and overall resilience. If you would like to explore how we can help your organisation, please contact: Scott Thomson, Director of Cyber & IT at scott.thomson@centium.com.au.
Our Clients
