INSIDE THIS ISSUE
It’s easy to engage us! Centium is listed on SCM0005 and SCM0020 (Advanced). This allows you to directly engage us based on a quote.
WILL YOU MAKE THE 31 AUGUST DEADLINE?
Many agencies are scurrying to fulfill their obligations under the NSW Cyber Security Policy (CSP) by the 31 August 2019 reporting deadline.
The NSW CSP replaced the NSW Digital Information Security Policy in February this year. It applies to all NSW Government Departments and Public Service Agencies (Government Sector Employment Act 2013 Schedule 1 Public Service agencies) and sets out 24 mandatory requirements including the need for an independent review of compliance.
By 31 August each year, you need to submit a report to your Agency head and GCISO, in a template provided by GCISO. This is complicated by the Machinery of Government (MoG) changes that come into effect on the 1st July 2019.
By 31 August each year, you need to submit a report to your Agency head and GCISO, in a template provided by GCISO, covering the following:
You also need to include an attestation in your annual report and provide a copy to GCISO.
Machinery of government changes: implications for CSP reporting obligations
As clusters are being restructured on 1 July 2019, the ownership of some IT systems and operational technology will change. In May 2019, the Secretaries Board agreed that attestation against the Cyber Security Policy will be done by departments and agencies within their respective post 1 July organisational arrangements. Cyber Security NSW has advised it is considering options for how to accommodate any anomalies this may create for cluster reporting and will update the Cyber Security Steering Group and Community of Practice on a regular basis.
Maintaining an operational Information Security Management System (ISMS) is a key requirement of the CSP. Centium has been helping agencies to adapt their existing ISMS to integrate into their (new) cluster’s existing ISMS. This can be a delicate exercise given that it’s important to not just spot gaps in the different ISMSes, but also to identify and remove overlaps that can give rise to unnecessary administrative effort and cost.
Centium has assisted agencies to review and unify disparate ISMSes into a cohesive and efficient singular management system. We have also been helping agencies to identify and assess their “crown jewels”, and conducting maturity assessments against the Essential 8, to help them prepare for their 31 August 2019 deadline.
Contact us to find out how Centium can help your agency or cluster to adapt and unify multiple ISMSes into an efficient and effective management system, and how you can meet your 31 August 2019 CSP deadlines.
RECORDS MANAGEMENT DURING GOVERNMENT CHANGES
Many public offices will be transferring functions to other agencies or merging into new clusters as a result of Machinery of Government (MoG) changes. If business activities or functions are being transferred, then records will also be transferred.
Agencies should ensure there are agreements or MOUs about what records are to be transferred, and a plan about how records are to be managed throughout the transition.
In the case of digital records, the transition may involve moving data from one system to another, or from one service provider to another.
Before migrating data, it is important to have undertaken an appropriate risk assessment as this will inform the migration planning and testing processes used. Centium can help agencies with their records management planning and testing processes as part of MoG changes to include:
To find out more about how Centium can assist you meet your records management obligations during a MoG change, please contact a Centium Practice Lead for an informal chat.
LEARNINGS FROM THE NSWAO ON THE MANGAGEMENT OF PROBITY ADVISORS
The NSW Audit Office assessed whether the state’s 40 largest procurers of probity services complied with the requirements of PBD 2013-05 “Engagement of Probity Advisers and Probity Auditors” and whether they ensured value for money from the use of probity practitioners.
The audit found that agencies tend to rely on only a limited number of probity service providers, sometimes using them on a continuous basis, which may threaten the actual or perceived independence of probity practitioners. The audit also found that agencies do not have effective processes to ensure value for money.
'PBD-2013-05 Engagement of probity advisers and probity auditors' sets out the requirements for NSW Government agencies' use and engagement of probity practitioners. It confirms agencies should routinely take into account probity considerations in their procurement. The Direction also specifies that NSW Government agencies can use probity advisers and probity auditors (probity practitioners) when making decisions on procuring and disposing of assets. One of the key messages it conveys is that agencies should not engage the same probity practitioner on an ongoing basis, and ensure the relationship remains robustly independent.
Within this context, the NSWAO assessed whether Transport for NSW, the Department of Education and the Ministry of Health:
They also surveyed NSW Government agencies with the 40 largest total expenditures to get a cross-sector view of their use of probity practitioners.
In summary, the NSWAO found instances where each of the participating agencies had not fully complied with the requirements of the NSW Procurement Board Direction ‘PBD-2013-05 Engagement of Probity Advisers and Probity Auditors’ when they engaged probity practitioners. They also found they did not have effective processes to achieve compliance or assure the engagements achieved value for money.
In the sample of engagements selected, they found instances where the participating agencies did not always:
They also found that agencies tend to rely on only a limited number of probity service providers, sometimes using them on a continuous basis, which may threaten the actual or perceived independence of probity practitioners.
Like the NSW Audit Office, we encourage agencies to regularly cycle their probity advisors and auditors so as to avoid an actual or perceived independence issue. Centium has a very highly regarded team of probity advisors and auditors and we’d be very happy to chat with you about how we can assist with your probity needs. To find out more, please contact our Director Ethical Conduct & Investigations, Roy Cottam.
ICAC REPORT ON CORRUPTION TRENDS ACROSS NSW
The ICAC released a report earlier this year covering modern factors that contribute to corruption and other serious forms of misconduct. It also highlights emerging trends, hotspots, case studies and notable practices that have been brought to the Commission’s attention.
The report provides a wealth of case studies, lessons learnt and better practice tips. It focusses on whole of government trends; incentives, cues and motivations; speaking up; conflicts of interest; undue influence on decision makers; HR matters; procurement and contract management; regulation and accreditation; as well as a section relating to non-government organisations.
The full ICAC report can be found here:
Appendix 2 in particular is particularly useful as it sets out various systemic issue categories applying to:
Centium has over three decades worth of practical experience helping agencies enhance their fraud and corruption prevention and detection controls. Our specialist Ethical Conduct & Investigations team members have held high profile operational positions including Heads of Governance & Risk, Certified Fraud Examiners, Certified Anti-Money Laundering Specialists, Principal Auditors and Chief Investigators.
Some of the ways in which we have helped agencies improve fraud and corruption controls include:
To find out more, please contact our Director Ethical Conduct & Investigations, Roy Cottam
CAN YOU SLEEP AT NIGHT KNOWING THAT ALL WILL BE FINE?
Many NSW government agencies already have elements of business continuity plans and associated IT recovery plans. These form part of overall organisational resilience and good risk management.
But how confident are you that your plans are up to date and that the right people know what to do? When was the last time your plan was updated and tested? Will the Machinery of Government (MoG) changes affect your plans?
Centium has been assisting NSW government agencies to enhance and test their business continuity plans, IT recovery plans and overall emergency response plans for decades. We apply practical learnings and better practices from having worked with nearly all government agencies over time. Now is an ideal time to update your plans given the MoG changes.Click here to find out how Centium has helped agencies to uplift and test their business continuity and IT recovery plans.
Here are some ways in which we’ve worked with our state and local government clients in the recent past:
Contact us to find out more about how we can help your agency with its business continuity and resilience efforts, particularly in light of MoG changes.
YOU HAVE A WHS MANAGEMENT SYSTEM, BUT HOW MATURE IS YOUR SAFETY CULTURE?
Most NSW government agencies have mature Work Health & Safety (WHS) Management Systems consisting of policies, procedures, Safe Work Method Statements and other elements.
While these are very important, WHS really takes a life of its own when accountability is given to staff and a safety culture is fostered. This approach not only reduces injuries but changes the attitude of staff to workplace safety.
Centium has developed a Safety Culture Methodology and Maturity Model to measure and enhancing safety culture across an agency. It includes nine broad behaviours, or culture actions, that we consider essential to the development of a positive safety culture: Leadership; Communication; Organisational goals and values; Supportive environment; Responsibility; Learning; Trust in people and systems; Resilience; and Engagement.
Now is the ideal time to take a baseline measure of your agency’s safety culture given the changes and mergers brought on by Machinery of Government changes. It’s quite likely that you may need to merge or amend your WHS Management System with that of another agency or cluster.
Here are some of the ways in which we can help:
Contact us to find out more about how we can help your agency to measure and enhance its safety culture and WHS practices, particularly in light of MoG changes.