The NSW Audit Office recently released its 2022 report on local government and highlighted many areas of improvement required of local governments. The audits revealed that 47% of councils lacked a cyber security plan, leaving their data and assets vulnerable. Additionally, deficiencies were found in crucial areas such as policies, procedures, privileged access management, and internal controls. The report warns of potential consequences, including data destruction, theft, denial of service(s), and the financial impacts of repairing affected systems, networks, or devices. Establishing a solid foundation for cyber security requires implementing controls outlined in the NSW Office of Local Government Cyber Security Guideline, as well as technical controls provided by the Australian Cyber Security Centre and their Essential Eight controls.
The significance of cyber security is increasing as a threat and cannot be underestimated, affecting all organisations, including local government. Data from the Australia Cyber Security Centre indicates that the average cost of a cyber security incident for medium-sized organisations exceeds $80,000 per incident. Safeguarding the confidentiality, integrity, and availability of data and systems is crucial in mitigating both external threats and internal vulnerabilities caused by poor practices and processes. The initial steps to address this issue involve developing a robust cyber security plan and implementing a comprehensive cyber security framework, complete with policies and procedures. These measures help establish clear roles and responsibilities throughout the organisation. Supporting these efforts with regular cyber security training and awareness programs for all staff is essential. Testing incident response plans and conducting simulations of cyber-attacks through techniques like penetration testing and phishing simulations are effective ways of ensuring that plans and playbooks are thorough and well-practiced for when they are really needed.
Over the past two years, Centium has conducted health checks and audits on cyber security for more than a dozen councils. As a result, we have gained valuable insights into the level of maturity of these councils in relation to the Office of Local Governments Cyber Security Guidelines. Through this work, we are able to offer our clients benchmark data, enabling them to better understand their level of maturity in comparison to the guidelines set by the State of NSW. However, it is important to emphasise that the goal should not simply be to achieve the highest level of maturity across the State, but rather to effectively manage the specific risks and threats each Council faces.
We also stress to our clients that building and implementing their cyber security plan is a multi-year journey that requires engagement from all aspects of the organisation. It should not be seen as solely an issue for the IT department or systems. Robust training and awareness programs are necessary to foster a shift change in the culture within councils to identify and manage cyber security risks as part of day-to-day operations.
The approach taken to identify and manage cyber security risks should be consistent with the council’s enterprise risk management framework. Special attention should be given to ensuring that the risk analysis accurately reflects the likelihood and consequences of cyber threats. This may entail a review of their broader risk management framework for some councils. At the very least, it provides an opportunity for councils to refresh their risk registers and ensure they reflect all current and emerging risks.
We look forward to opportunities to work with more councils and assist them in understanding their current cyber security posture. Our expertise can help identify areas where improvement is needed and provide recommendations to enhance your Cyber Security maturity, security and overall resilience. If you would like to explore how we can help your organisation, please contact: Scott Thomson, Director of Cyber & IT at scott.thomson@centium.com.au.
One of the biggest and most welcome changes to the modern workplace has been the increased focus on employee mental health and wellbeing. And we don’t mean the ‘mindfulness messages’ on your smart watch or the endless parade of ‘wellness gurus’ on social media…we’re talking about genuine, organisational attempts to make (and keep) employees comfortable, balanced and engaged while at work.
While the COVID-lockdown period was hard on everyone, employee engagement continues to be challenging during the post-lockdown ‘hangover’ period. While some employees have thrived away from the office environment (and are resisting and feeling stressed about returning to the office), others have struggled with the social isolation caused by long periods away; some may even have developed mental illnesses as a result. In each case, it is unlikely that an ‘inspirational’ poster, innovative social activity, or a communal tin of biscuits will be an adequate organisational mental health and wellbeing strategy.
Disgruntled and dissatisfied employees can result in unhealthy conflict, a lack of productivity, increased staff turnover, and the increased risks of fraud, corruption, and potential sabotage. On the other hand, engaged employees are known to:
Apart from the obvious benefits to both the employer and the employed that emerge from supporting a happy and productive workforce, it is also important to note that employee mental health is a Workplace Health and Safety issue.
Employers have a legislated responsibility to manage health risks and hazards in the workplace, including psychosocial ones. A mentally healthy workplace is not just ‘nice to have’, it is something organisations should actively pursue.
This begs the questions:
“What makes for a mentally healthy workplace?”
and
“How can we be sure that our workplace is doing a good job in supporting the positive mental health of our employees?”
They might sound like heavy questions, but with the right tools, they don’t have to be hard to answer.
In order to help both private and public organisations answer questions around mental health and wellbeing policies and improve their level of support, Centium has developed a Health Check to assess your organisation’s approach to Workplace Mental Health and Wellbeing.
The Health Check is comprehensive, and includes:
Centium’s integrity, independence, and extensive experience in providing risk and assurance services to a wide range of private and public sector organisations contributes to ensuring that our views are objective, and our analysis is sound and evidence based.
For further information on the Health Check please contact Penny Corkill, Centium’s Director of Risk and Assurance on 0409 251 011 or email Penelope.Corkill@centium.com.au.
Centium is delighted to extend our warmest congratulations to ARC for being one of the 17 NSW councils to receive IPART's approval of their Special Rate Variation application. This approval demonstrates recognition that Councils are facing significant cost pressures in providing vital services to communities.
Out of the 17 councils that applied to exceed the limit, 14 had their applications approved in full, while the remaining three were granted an increase above the cap. This additional income will provide vital support to Councils in managing their service delivery and significant assets.
During 2022, Armidale Regional Council made proactive and transparent efforts in community engagement, which played a pivotal role in their success. The comprehensive community outreach, including reference panels, stakeholder and public meetings and surveys, demonstrated a commitment to fostering a strong level of understanding within their community. Centium is proud to have played a part in this success by supporting ARC in their communications and community engagement strategy and approach – view report here.
ARC's vision for a prosperous and sustainable region is truly inspiring, especially considering the challenges of rate capping and a difficult economic climate. This rate rise will provide the necessary resources to deliver essential services and drive positive change in the region.
In their decision-making process, IPART carefully weighed the cost-of-living stress experienced by ratepayers against the risk of service losses. They also considered the affordability factor, taking into account the financial pressures faced by residents. It is worth noting that IPART has gone a step further by urging the State Government to explore alternative funding sources and investigate the financial model for local councils, with the aim of ensuring their long-term financial sustainability without relying solely on substantial rate increases.
Congratulations once again to Sam Coupland, James Roncon and the entire Leadership Team for this well-deserved recognition. Centium is proud to have supported your success.
If you are interested in learning more about how we could help your Local Government in a communications and community engagement strategy for a Special Rate Variation, please contact us at Centium for a no-obligation consultation:
You only have to turn on the news to witness the almost daily reporting of conflict of interest instances. Senior executives, politicians, Board Members and public servants are regularly finding themselves in difficult situations by not appropriately managing an actual, perceived or potential conflict of interest.
The potential costs of failing to properly manage conflicts of interest can be financially devastating. But it can also be costly in terms of the staff time involved in responding to investigations by regulators, anti-corruption agencies and Ombudsmen. And, not to mention, the irreparable damage to the agency’s and individuals’ reputations.
Decisions tainted by a conflict of interest - big or small - eat away at integrity, expose us to accusations of unfairness (or worse) and risk outcomes which are not in the public interest. All employees need to be alert to the dangers and be supported to avoid and manage such conflicts.
So, how can we develop and encourage the right frameworks and skills to avoid or manage conflicts, and support each other in achieving transparent, impartial decision making?
The above elements are strongly recommended to be included as part of your Conflict of Interest policy and framework. However, they act as minimum requirements only and should be augmented by further items that directly apply to your specific work environment. Conflict of Interest policies should also be regularly reviewed to ensure their relevance in changing environments.
At Centium, we have extensive experience in managing, advising and reviewing Conflict of Interest frameworks and investigations. Our team of experts includes a prior NSW Ombudsman of 25 years.
We can help review your Conflict of Interest policy and related procedures and reporting, undertake audits of registers, employment, induction and training programs, as well as deliver training to new and existing staff.
For more information around conflict of interest policies and investigations, view our ethical conduct & investigation services. For a confidential discussion or further assistance in reviewing your existing framework or further guidance, please get in touch.
View the full checklist in PDF format.
Managing fraud and corruption control can be a daunting task for organisations. The challenge is to ensure that your Fraud and Corruption Control System (FCCS) addresses risks relevant to your organisation without going overboard.
At Centium, we will help your organisation navigate this complex terrain. In this article, we explain how our Fraud and Corruption Evaluation Tool (FACET) provides transparent advice and guidance on an appropriate, “right-size” level of fraud and corruption control for your organisation.
The first step to effective fraud and corruption prevention is to determine your organisation’s sensitivity to such risks. Using our FACET tool, we interview key stakeholders and gather information about your business to assess and confirm its sensitivity to a fraud and corruption incident.
This level of sensitivity will determine the level of maturity we recommend for your FCCS as per a rating visual scorecard below. Sensitive ratings are scored from Low, Medium to Critical with a recommended minimum standard.
Importantly, this information allows us to recommend an overall maturity level for your FCCS. For example, if you have a very high or critical sensitivity, we might recommend “Leading” controls. Conversely, if you have a medium sensitivity, “Sound” or “Strong” controls might be more appropriate.
We encourage you to involve and engage your Board and/or Executive Team in this part of the assessment by asking them to confirm our results.
Once we have determined the recommended maturity level for your FCCS, we use FACET to help analyse the current state. This involves gathering more detailed information on your organisation’s charters, codes of conduct, policies, procedures, and interviewing key personnel.
Our Auditor then assesses and inputs this information into FACET, and determines the current status or maturity level of your FCCS against constituent elements such: Foundations, Prevention, Detection, and Response. At this stage we also benchmark the maturity status of your FCCS against similar sized organisations within your operating environment.
Below is a visual of how an `Assessed Maturity Level’ might look for your organisation.
Our targeted advice provides your Board and Executive Team with a transparent and logical call to action and approach.
It enables you to implement an appropriate, targeted and `right-sized’ FCCS without over-engineering or over-complicating the recommended approach. See a visual example of how a `Target Maturity Level’ can look for your organisation.
Our clients have provided positive feedback on our FACET approach and its results. Our tool embodies our values at Centium, providing smart, evidence-based solutions that are holistic and tailored to your organisation’s needs.
If you are interested in learning more about FACET and how this can benefit your organisation, please contact us at Centium for a quote or no-obligation demonstration:
In late 2022, the NSW Government passed the Privacy and Personal Information Protection (“PPIP”) Amendment Act, which will come into effect on 28 November 2023.
This will have a significant impact on many public sector clients, especially those in Local Government, State-owned Corporations and higher education who are not already subject to the Privacy Act 1988 of the Commonwealth.
Mandatory Compliance is Important
One of the most significant impacts of the PPIP Amendment Act is the “mandatory notification of data breach scheme.” To comply with the Act, your organisation must have completed or have in place the following:
Data Breach Reporting and Mitigation
Under the Act, organisations must investigate if any employee has reasonable grounds to suspect that a breach has occurred. This must be reported to the head of the agency or organisation, who must immediately make all reasonable efforts to contain the data breach and ensure that within 30 days an investigation is carried out to assess if there was an eligible data breach.
Heads of organisations are responsible for the immediate notification of the eligible data breach to the Privacy Commissioner.
A key principle that must be applied under the Act is that organisations address the mitigation of harm done by the suspected data breach. This would include management of public relations and media interest in the incident. Ensuring that the public relations and media unit’s roles are clearly defined and tested in the response plan is critical to ensuring that this principle is met.
How Centium Can Help
Centium is experienced in helping organisations minimise their risk of non-compliance with the Act by providing tailored assistance and support services through:
How to get in touch with Centium
The new PID Act 2022 is scheduled to come into force later in 2023. The new Act is substantially different to the PID Act 1994. It significantly strengthens criminal penalties and civil liabilities for individuals and agencies, imposing onerous training and awareness responsibilities on all managers and employees.
To ensure all those impacted are aware and informed of the changes and their implications, Centium has requested former Deputy Ombudsman Chris Wheeler to undertake a review and comparison of both Acts, which has identified the following major changes and updates.
Click on each of the tabs to expand for more information
The PID Act 2022 is far more complicated than the PID Act 1994:
There are far more statutory PID responsibilities on each agency and the ‘head of agency’. The primary responsibilities under the PID Act 1994 have been more than doubled under the new Act, including:
The criminal penalties and civil liability provisions have been significantly strengthened:
Almost all employees of an agency will have statutory obligations under the new PID Act:
The categories of conduct that can be the subject matter of a Voluntary PID have been significantly broadened. For example, under the 1994 PID Act ‘maladministration’ was defined to be conduct of a ‘serious nature’. Under the 2022 Act, this category of conduct has been renamed ‘serious maladministration’ but redefined to be conduct ‘other than conduct of a trivial nature’.
The number of disclosures made under the new Act will most likely be significantly greater than under the 1994 Act due to:
The key resource impacts of the new PID Act are likely to relate to:
Understanding these changes, their impact on your organisation, and ensuring they are incorporated into your processes and training will be critical once the new Act comes into effect. This is the first major change to PIDs in almost 30 years, and organisations may need specialist support to acclimate.
Centium provides professional consulting services to Australian state, federal and local government bodies. We specialise in the provision of risk & assurance, probity, cyber security and workplace investigation services.
We are very pleased to announce that we have recently refreshed our Investigations team which now comprises 12 experts, each with over 30 years of relevant experience. The team, which will be led by Centium’s Managing Director Phil O’Toole, includes the author of this article, Chris Wheeler, who was the NSW Deputy Ombudsman for 25 years. The flyer below provides further details about the team and Centium’s Investigations capabilities.
For more information on any of the changes discussed or for support in managing and integrating the PID Act 2022, please contact Managing Director, Phil O’Toole at phil.otoole@centium.com.au
In September 2021 the NSW Office of Local Government published new guidelines for Integrated Planning and Reporting (IP&R), which included a new requirement to publish a program of Service Reviews:
4.3 To encourage continuous improvement across the council’s operations, the Delivery Program must identify areas of service that the council will review during its term, and how the council will engage with the community and other stakeholders to determine service level expectations and appropriate measures.
This focus on service reviews within the IP&R Guidelines follows through on the changes made to the NSW Local Government Act in 2016 which included a new statement that the role of the governing body is …. to keep under review the performance of the council, including service delivery (s223(1)(g)).
The responsibility for service reviews was also included into the responsibility of the Audit, Risk and Improvement Committee (s428A(2)(g)) which must monitor the service reviews undertaken by the Council.
We wanted to see how our Councils are complying with this new requirement, so we took a sample of twenty of our clients’ Delivery Programs (2022-2026) to analyse the current state of play. Here’s a summary of our findings:
We selected Cumberland Council as a great example because it not only meets the guidelines, but also has the following features:
| Advantages | The Cumberland Delivery Program 2022-2026 says: |
| Demonstrates a commitment to service reviews | Service reviews are a vital process that Cumberland City Council uses to ensure that services and facilities meet community needs and wants as well as into the future. |
| Allocates resources to the program | Council is investing significantly in its internal ability to provide an internal better practice service review program, and will complement this capacity with consultants where technical expertise is required |
| Published program offers accountability and transparency | Council’s four year service review plan is outlined below, and progress will be reported in each Annual Report |
The published program seems targeted and realistic, and describes the purpose of each service review:
While the purpose of the new requirement is to ensure continuous improvement, a rolling program of service reviews can also put Councils and Councillors in a better position to:
Centium can provide support to meet these new requirements no matter what your starting point. We can look across all services, to set organisational priorities for both the services selected for review and also the purpose and objectives of conducting the review.
We can also assist you to design and conduct a service review. We bring fresh eyes, depth of local government experience and technical capability to conduct a thorough analysis and offer realistic and targeted recommendations for improvement. We will work with your internal corporate and service management professionals in a way that recognises and enhances your inhouse skills and experience.
For further information, please contact Centium’s Director Local Government Improvement, Sarah Artist, for a no-obligation discussion at 0409-830-283 or at sarah.artist@centium.com.au.
As prescribed in the NSW Councillor Induction and Professional Development Guidelines, all Councils are required to prepare induction and ongoing professional development plans (PDP) to guide elected members through their tenure. These plans are to ensure that elected mayors and councillors have the knowledge and skills expected of them to carry out their civic role in the community. While it is mandatory to have these plans in place, it is actually a tricky task to put one together.
Centium has been working with several NSW Councils and their elected members to establish and implement professional development plans and report on their progress in their annual reports. This work has been fronted by Centium’s team of experts, including previous Burwood Council mayor and councillor, Lesley Furneaux-Cook.
The Local Government Capability Framework defines the skills, knowledge, and experience required to effectively do the job of an elected member. It has now been adopted as best practice by the NSW Office of Local Government within the Induction and Professional Development Guidelines. During her 7 years as LGNSW Director, Lesley was part of the development of the Local Government Capability Framework.
“I am really proud to have worked on the Capability Framework” stated the former Councillor. “It was so timely given the legislation required for all Councillors and Mayors to have their own annual Professional Development Plans”
An effective process guides elected members through a reflective process so they can consider their own strengths and weaknesses against the framework. This way, they can identify learning opportunities that might be of benefit and interest to them during their tenure at the council. Undertaking a needs assessment to develop and monitor a professional development plan in collaboration with a third party, like Centium, to unpack it will help in overcoming the difficulties involved.
In the words of Lesley Furneaux-Cook, “Myself, I found it a really steep learning curve when I first started as a councillor. I met issues that I would never normally encounter in my other job and I had to develop a whole new skill set and understanding to match not just what is required under the LG Act, but to meet the ever changing tasks that would come across our papers when we are deliberating issues in Council Chambers. This is not just a one-off learning, this is lifelong learning”
Lesley is also very much aware of the challenges that sometimes face general managers/CEOs in having a conversation about a councillor’s or mayor’s PD plan.
She pointed out that “the power structures that naturally exist in a council can make it difficult for staff to talk about potential skills development of councillors.”
It is very important to have these plans in place, but it can be difficult to actually put one together without the assistance of a competent advisor with proven experience like Lesley Furneaux-Cook.
Centium can provide local government, governance, leadership and training experts who can assist in putting development plans together because they have been in the shoes of mayors and councillors who need a PDP in place.
Following best practice processes described earlier, we will also work with Council staff to develop practical and achievable PD Plans for each Mayor and Councillor. These plans will outline affordable and flexible options for professional development activities to fit into Councillors’ busy lifestyles.
Centium has worked with several NSW Councils in the past and is strategically positioned to support councils and councillors so they can make good decisions to benefit their communities.
For further information, please contact Centium’s Director, Local Government Improvement, Sarah Artist, for a no-obligation discussion at 0409-830-283 or at sarah.artist@centium.com.au. Alternatively, take a look at Centium's Councillor PDP Service Sheet below:
Grants design and management are notoriously complex and resource-demanding exercises. In order to ensure that the key principles of transparency, accountability and probity are embedded in the way NSW Government grants are delivered, the 2022 Review of Grants Administration in NSW has made recommendations to improve grants delivery.
This review was led by the Department of Premier and Cabinet (DPC) in partnership with the NSW Productivity Commissioner and was tasked with delivering an updated Good Practice Guide to Grants Administration and providing recommendations for improvement.
The overall aim was to ensure that any investment the government makes in grants:
We have summarised the review’s findings into the following essential tips that should be adopted by Agency staff when designing a grant program.
NSW Public Servants love acronyms! Remember though that the acronyms we use may not be widely understood by the public. Reading documents with multiple acronyms can sometimes be like deciphering a foreign language! Try to keep internal jargon out of public-facing documents. If you must use an acronym, expand them on their first use in a document.
If you are unsure, use the Government Style Guide.
Be consistent with your terminology. This can avoid confusion for your audience and make the process easier for people to follow. Make sure your content uses plain language. This helps all users and ensures everyone can understand. Avoid (or explain) unusual words, phrases and idioms.
Be careful with discretion in your guidelines. If you publish rules with discretionary clauses, ensure that you workshop various scenarios and document your risk tolerance for each scenario. When you do exercise discretion, you should ask yourself if there will be a material benefit to the applicant because of your decision. Also ask yourself how much benefit you give an applicant by using your discretion. (For example, allowing an applicant to submit a late tender by one hour due to technical issues with the tendering website may be allowed, as it gives the proponent no real material advantage, but giving a proponent an extra week to submit a proposal would be unacceptable.)
Be mindful of the optics of your decisions, and if you do make discretionary decision, be sure to document it and have it approved by the person with the appropriate delegation.
Be sure to document roles and responsibilities up front, noting who will make a recommendation, who will endorse, and who will approve. Ensure the roles nominated have the correct delegation, and if there will be Ministerial or MP involvement, you must disclose this in the published guidelines. Establishing a governance structure up front with roles and responsibilities for each group and clear terms of reference will set the project up for success.
Conflicts of interest are only bad if they are not disclosed. You should be checking for actual or perceived conflicts at each meeting and each step of the process, not just at the outset. Things can change and this gives everyone the opportunity to raise any actual or perceived issues before they become a problem. Be sure to document any mitigation strategies you have agreed upon, making sure they are appropriate and approved by the person or group with the correct delegation. A good Probity Advisor will be able to help design mitigation strategies to manage tricky conflicts.
It is important that everyone involved in the project is aware of the confidentiality protocols and if necessary, has received training in this area. It is essential that confidentiality is taken seriously so that all grant applicants are treated equally and fairly, and the process is equitable.
If you decide to use anything other than a competitive merit-based selection process, be sure to document why, and develop a risk register with appropriate risk mitigation strategies. This must be approved by the relevant person with the delegation to make this decision, usually the Minister, or the Head of your Agency.
Build evaluation into your program design up front, and ensure you have clearly defined and measurable outcomes. This will help increase the quality of the evaluation. Use evaluation reports to inform any decisions about changes to programs in the future.
You must publish your grant on the NSW Government Grants and Funding Website. This is a mandated requirement following the 2022 Review of Grants Administration in NSW and relates to any grant being issued after 19 September 2022. Details of grants awarded must be published no later than 45 days after the first payment is made to a grant recipient.
If a grant program is either high value, high risk or politically sensitive, current guidance recommends that you use an external Probity Advisor. Getting advice from a firm that has trained and government accredited probity advisors will guide your team towards best practice and prevent any reputational risk for the agency and your staff. A good probity advisor will hold your hand throughout the process and should be able to help with training and ongoing development of your people. It is a small cost to outlay and can save a lot of time, anxiety, effort – and ultimately reputation!
While the above tips and recommendations can be used to simplify grant design and management, there is value in engaging an experienced probity advisor to offer expert support for high value or sensitive grant programs.
Centium has over 20 years’ experience offering transparent, activity-based probity advisory and auditing services and support to government agencies. A key element in providing quality probity advice is an understanding of the transaction and the associated issues and risks. Our bespoke Probity Methodology is risk-based and ensures that key probity elements are incorporated in every aspect of your transaction.
If you require probity advisory services, grant admin management support, or internal audit of your grants, reach out to Joan Cavalieri, Director, Probity & Ethics via joan.cavalieri@centium.com.au or visit our website to view our full range of probity and procurement services.
Centium has recently undertaken cyber security health check assessments for six NSW Local Councils, shining a light on the common gaps many of them have.
These gaps were identified against the draft OLG Cyber Security Guideline, but many of them are simply better practice.
Despite the pressure to render more and more services digitally, many Councils have been on the back foot with regards to cyber security due to the onset of the pandemic and limited budgets. This can present challenges especially when it comes to securing Council systems, customer data and preventing business disruption.
That being said, the increasing number and impact of cyber-attacks that have been reported in Australia and globally has put many Councils on high alert as they try to improve their security.
In July 2021, Cyber Security NSW released a draft Cyber Security Guideline for Local Councils (including the Essential Eight) via the Office of Local Government. The guideline's objective is to assist Councils in improving their cyber security practices and not enforcing compliance. This gives Councils more time to strengthen their cyber security and raise their maturity levels to be in line with known better practices.
Centium was recently tasked by six NSW Councils to review their cyber security maturity in line with this draft guideline. In the article below, we share our learnings from these health checks to help other Councils better design and implement cyber security controls.
1. Poorly outlined roles, responsibilities and plans
Most Councils already have some cyber security controls in place. However, our health checks found that subject Councils shared common gaps in their cyber security controls:
Councils are yet to clearly define the cyber security roles and responsibilities of the General Manager/Chief Executive Officer, Risk Manager, Chief Information Security Officer (CISO), Chief Information Officer (CIO), and/or Information Security Manager.
This affects Council's entire cyber security plans and actions from the top down. In fact, we saw this play out in a lack of approved cyber security plans within several Councils. With no plan or strategy in place, Councils cannot improve their cyber security in both the short- and long-term.
2. Lack of governance at executive level
Despite the requirement that the General Manager or CEO be accountable for cyber security, many Councils that have governance committees with executive presence only discuss the cyber security aspects on an ad-hoc basis.
Councils often forget that Operational Technology (OT), such as video surveillance and building management systems using automated or remotely controlled or monitored assets, should be governed…but in most cases they are not. This significantly increases risks when considering the confidential information & data that these systems and technology may contain.
3. Cyber security risk assessments are not conducted well
Some Councils had a form of risk assessment. However, many such risk assessments didn't meet the specific requirements of their enterprise risk management standard, nor was the methodology documented along with the criteria for accepting risk.
This leaves many Councils vulnerable to developing blind spots and unintentionally their risks.
4. There are opportunities to improve cyber security awareness and culture
It is the responsibility of every person in Council to avoid actions that invite cyber security breaches – however this isn't always communicated to staff. Outside of the IT department, our health checks found a lack of proactive culture and education regarding cyber security.
Councils cannot hope to reduce their risks if their staff and contractors don't know how to.
For example:
5. Sensitive or classified information is too accessible
While users and staff need access to sensitive or classified information or systems, many Councils are not managing this proactively or effectively. You only have to check the media to find instances of ex-employees with grudges compromising systems and data - Councils, too, need to be aware of these risks.
Our health checks observed a lack of access control policy, irregular removal and auditing of privileges, ad-hoc reviews of access rights, access not being removed within a defined period, and a lack of documentation in managing user access.
6. No ISMS in place
Councils are expected to implement an Information Security Management System (ISMS), Cyber Security Management System (CSMS) or Cyber Security Framework (CSF) compliant with, or modelled on, one or more recognised ICT, OT or IoT standards. This ensures that Councils can protect their assets and information from threats and vulnerabilities.
This is a substantial commitment for Councils but essential in ensuring that information security policies and procedures are in place, 'crown jewels' are identified, and plans are in place to manage cyber security incidents.
7. Cyber security considerations are not built into procurement
Many Councils are yet to embed cyber security requirements into procurement and the early stages of projects. In addition, many Councils are yet to ensure that new systems and/or enhancements include audit trails and activity logging processes to assess data accuracy and integrity.
This means that Councils are at risk of giving systems with hidden threats access to their valuable data and assets.
8. Limited current cyber incident response plan and testing
While many Councils have some sort of plan in place to prevent incidents, most do not have any formal procedures to respond to, monitor, and reports events. This is especially concerning when Councils are required to report incidents to the CISO and Cyber Security NSW.
And for the Councils that do have plans in place, none have actually tested their effectiveness. This leaves Councils with unknown gaps in their responses – and no Council wants these gaps when an event does occur.
Councils also need to deploy monitoring processes and tools for adequate incident identification and response. But we've observed that many Councils only have manual monitoring without automated tools or alerts – which proves no challenge for the sophisticated and high-tech threats of today.
9. Not sharing information on security threats
Councils are expected to share information on security threats and intelligence with Cyber Security NSW and cooperate across NSW Local Government and NSW Government to enable management of state-wide cyber risk.
But we found that many Councils aren't doing this, or when they are they only share information and intelligence within their own Council. Commonly, this is because they lack formal processes as to what should be shared and when.
Similarly, most do not have protocols for receiving and acting on information and intelligence received from Cyber Security NSW.
All stakeholders, including the Audit, Risk and Improvement Committee, recognised that seeking assurance that cyber risk was being effectively managed was a high priority for inclusion in this year's internal audit plan.
Centium was engaged, based upon their understanding of the local government context to share their knowledge and experiences.
The team adopted a practical approach and looked at cyber risk from not just an IT perspective but also considered operational aspects such as third-party management, training, and procurement, thus raising awareness that there are many touch points where a cyber incident could impact Council's operations.
The cyber review also complemented the recommendations made from other internal audits that had been completed throughout the year, such as privacy and information awareness, procurement and contract management.
The finished report included a comparative score for those that wanted to benchmark their progress against others. However, more importantly there was acknowledgement of the positive practices that were already in place.
Each of the 25 requirements detailed in the guidelines were assessed by the Centium team that was supported by a rationale for the assessment, the priority that the tasks should be given along with practical recommendations. This approach provided management with a roadmap for strengthening their cyber security framework and an understanding of what areas should be prioritised. This approach was well received by all stakeholders.
The final report also provided a detailed action plan to enable the Internal Auditor to validate the completion of actions and provide regular reports to management and the Audit, Risk and Improvement Committee into the future.
While the OLG's guidelines have yet to be finalised, it is vital to start complying with the Guideline now to both protect your Council and prepare for the eventuality of it becoming policy.
The above common gaps can seem daunting to identify and tackle in your systems, but a thorough health check with recommendations from Centium can put you on the right track. In our previous health checks, we were able to identify multiple quick wins for Councils to implement and give them the breathing space required to deploy long-term changes.
Please feel free to contact our Director Penny Corkill for a no-obligation discussion on 0409 251 011 or penelope.corkill@centium.com.au. Alternatively, browse Centium’s range of related services: Cyber, IT & Business Continuity.
Our Clients
