NEWS . STATE GOVERNMENT . JULY 2019

---

CYBER SECURITY

WILL YOU MAKE THE 31 AUGUST DEADLINE?

Many agencies are scurrying to fulfill their obligations under the NSW Cyber Security Policy (CSP) by the 31 August 2019 reporting deadline.

The NSW CSP replaced the NSW Digital Information Security Policy in February this year. It applies to all NSW Government Departments and Public Service Agencies (Government Sector Employment Act 2013 Schedule 1 Public Service agencies) and sets out 24 mandatory requirements including the need for an independent review of compliance.

By 31 August each year, you need to submit a report to your Agency head and GCISO, in a template provided by GCISO. This is complicated by the Machinery of Government (MoG) changes that come into effect on the 1st July 2019.

By 31 August each year, you need to submit a report to your Agency head and GCISO, in a template provided by GCISO, covering the following:

• Assessment against all mandatory requirements in the CSP for the previous financial year, including a maturity assessment against the ACSC Essential 8;
• Cyber security risks with a residual rating of high or extreme; and
• A list of the agency’s “crown jewels”.

You also need to include an attestation in your annual report and provide a copy to GCISO.

Machinery of government changes: implications for CSP reporting obligations

As clusters are being restructured on 1 July 2019, the ownership of some IT systems and operational technology will change. In May 2019, the Secretaries Board agreed that attestation against the Cyber Security Policy will be done by departments and agencies within their respective post 1 July organisational arrangements. Cyber Security NSW has advised it is considering options for how to accommodate any anomalies this may create for cluster reporting and will update the Cyber Security Steering Group and Community of Practice on a regular basis.

Maintaining an operational Information Security Management System (ISMS) is a key requirement of the CSP. Centium has been helping agencies to adapt their existing ISMS to integrate into their (new) cluster’s existing ISMS. This can be a delicate exercise given that it’s important to not just spot gaps in the different ISMSes, but also to identify and remove overlaps that can give rise to unnecessary administrative effort and cost.

Centium has assisted agencies to review and unify disparate ISMSes into a cohesive and efficient singular management system. We have also been helping agencies to identify and assess their “crown jewels”, and conducting maturity assessments against the Essential 8, to help them prepare for their 31 August 2019 deadline.

Contact us to find out how Centium can help your agency or cluster to adapt and unify multiple ISMSes into an efficient and effective management system, and how you can meet your 31 August 2019 CSP deadlines.

---

RECORDKEEPING

RECORDS MANAGEMENT DURING GOVERNMENT CHANGES

Many public offices will be transferring functions to other agencies or merging into new clusters as a result of Machinery of Government (MoG) changes. If business activities or functions are being transferred, then records will also be transferred.

Agencies should ensure there are agreements or MOUs about what records are to be transferred, and a plan about how records are to be managed throughout the transition.

In the case of digital records, the transition may involve moving data from one system to another, or from one service provider to another.

Before migrating data, it is important to have undertaken an appropriate risk assessment as this will inform the migration planning and testing processes used. Centium can help agencies with their records management planning and testing processes as part of MoG changes to include:

• Correct identification of what records and information (including metadata) are to be migrated from one system/service environment to another
• Testing to ensure that all records and information (including metadata) have been successfully migrated to target system (new system/service environment)
• Rectification processes to be used if there are issues with quality or success of the migration
• Confirmation that the records and information (and metadata) that is needed for ongoing business, accountability and legal purposes, has been migrated
• Documented appropriate timeframes for the transferring public office (or service provider) to hold the source records after successful migration before deletion occurs. GA48 provides authorisation for the disposal of source records after specific conditions have been met (see Section 1.3 ). The rule of thumb is that source records must be kept for "an appropriate length of time" after the migration to "enable confirmation that the migration has been successful". Determination of the specific retention period must be based on a client's organisational risk assessment.

To find out more about how Centium can assist you meet your records management obligations during a MoG change, please contact a Centium Practice Lead for an informal chat.

PROBITY ADVISORS

LEARNINGS FROM THE NSWAO ON THE  MANGAGEMENT OF PROBITY ADVISORS

The NSW Audit Office assessed whether the state’s 40 largest procurers of probity services complied with the requirements of PBD 2013-05 “Engagement of Probity Advisers and Probity Auditors” and whether they ensured value for money from the use of probity practitioners.

The audit found that agencies tend to rely on only a limited number of probity service providers, sometimes using them on a continuous basis, which may threaten the actual or perceived independence of probity practitioners. The audit also found that agencies do not have effective processes to ensure value for money.

'PBD-2013-05 Engagement of probity advisers and probity auditors' sets out the requirements for NSW Government agencies' use and engagement of probity practitioners. It confirms agencies should routinely take into account probity considerations in their procurement. The Direction also specifies that NSW Government agencies can use probity advisers and probity auditors (probity practitioners) when making decisions on procuring and disposing of assets. One of the key messages it conveys is that agencies should not engage the same probity practitioner on an ongoing basis, and ensure the relationship remains robustly independent.

Within this context, the NSWAO assessed whether Transport for NSW, the Department of Education and the Ministry of Health:

• complied with the requirements of ‘PBD-2013-05 Engagement of Probity Advisers and Probity Auditors’
• effectively ensured they achieved value for money when they used probity practitioners.

They also surveyed NSW Government agencies with the 40 largest total expenditures to get a cross-sector view of their use of probity practitioners.

Audit Findings

In summary, the NSWAO found instances where each of the participating agencies had not fully complied with the requirements of the NSW Procurement Board Direction ‘PBD-2013-05 Engagement of Probity Advisers and Probity Auditors’ when they engaged probity practitioners. They also found they did not have effective processes to achieve compliance or assure the engagements achieved value for money.

In the sample of engagements selected, they found instances where the participating agencies did not always:

• document detailed terms of reference
• ensure the practitioner was sufficiently independent
• manage probity practitioners' independence and conflict of interest issues transparently
• provide practitioners with full access to records, people and meetings
• establish independent reporting lines - reporting was limited to project managers
• evaluate whether value for money was achieved.

They also found that agencies tend to rely on only a limited number of probity service providers, sometimes using them on a continuous basis, which may threaten the actual or perceived independence of probity practitioners.

Like the NSW Audit Office, we encourage agencies to regularly cycle their probity advisors and auditors so as to avoid an actual or perceived independence issue. Centium has a very highly regarded team of probity advisors and auditors and we’d be very happy to chat with you about how we can assist with your probity needs. To find out more, please contact our Director Ethical Conduct & Investigations, Roy Cottam.

CORRUPTION

ICAC REPORT ON CORRUPTION TRENDS ACROSS NSW

The ICAC released a report earlier this year covering modern factors that contribute to corruption and other serious forms of misconduct. It also highlights emerging trends, hotspots, case studies and notable practices that have been brought to the Commission’s attention.

The report provides a wealth of case studies, lessons learnt and better practice tips. It focusses on whole of government trends; incentives, cues and motivations; speaking up; conflicts of interest; undue influence on decision makers; HR matters; procurement and contract management; regulation and accreditation; as well as a section relating to non-government organisations.

The full ICAC report can be found here:

Appendix 2 in particular is particularly useful as it sets out various systemic issue categories applying to:

• Individuals
• Business units and organisations
• Organisational processes

Centium has over three decades worth of practical experience helping agencies enhance their fraud and corruption prevention and detection controls. Our specialist Ethical Conduct & Investigations team members have held high profile operational positions including Heads of Governance & Risk, Certified Fraud Examiners, Certified Anti-Money Laundering Specialists, Principal Auditors and Chief Investigators.

Some of the ways in which we have helped agencies improve fraud and corruption controls include:

• Conducting a “fresh eyes” gap assessment against the ICAC’s recommendations and systemic issue categories;
• Reviewing your existing fraud and corruption prevention framework;
• Conducting a focussed fraud and corruption risk assessment across your agency;
• Helping design and implement specific fraud and corruption prevention and detection controls;
• Conducting a detailed review of systems access assignments to identify potential segregation of duties conflicts;
• Designing bespoke data analytics tools to help identify potential fraudulent transactions;
• Delivering bespoke fraud and corruption training for your staff and Executive team;
• Reviewing and enhancing your Code of Conduct and retraining staff;
• Conducting specialist investigations;
• Assisting with disciplinary action, insurance recovery and/or litigation support.
  

To find out more, please contact our Director Ethical Conduct & Investigations, Roy Cottam

BUSINESS CONTINUITY

CAN YOU SLEEP AT NIGHT KNOWING THAT ALL WILL BE FINE?

Many NSW government agencies already have elements of business continuity plans and associated IT recovery plans. These form part of overall organisational resilience and good risk management.

But how confident are you that your plans are up to date and that the right people know what to do? When was the last time your plan was updated and tested? Will the Machinery of Government (MoG) changes affect your plans?

Centium has been assisting NSW government agencies to enhance and test their business continuity plans, IT recovery plans and overall emergency response plans for decades. We apply practical learnings and better practices from having worked with nearly all government agencies over time. Now is an ideal time to update your plans given the MoG changes.Click here to find out how Centium has helped agencies to uplift and test their business continuity and IT recovery plans.

Here are some ways in which we’ve worked with our state and local government clients in the recent past:

• Conducting a “fresh eyes” review of existing Business Continuity Plans, IT (Disaster) Recovery Plans, and Emergency Response Plans
• Refreshing your Business Impact Assessment (which should be reviewed and updated at least every year) to identify changes in your key business processes, critical ICT systems, vital records, Maximum Acceptable Outages, Recovery Point Objectives and continuity risks
• Updating and unifying Business Continuity Plans, IT (Disaster) Recovery Plans, and Emergency Response Plans in response to Machinery of Government changes
• Conducting exercises/tests of your Business Continuity Plans, IT (Disaster) Recovery Plans, and Emergency Response Plans
• Training your staff to make sure they understand their roles and obligations during a disruptive event or emergency
• Reviewing, updating and testing Cyber Security Incident Response Plans and Data Breach Response Plans

Contact us to find out more about how we can help your agency with its business continuity and resilience efforts, particularly in light of MoG changes.

SAFETY CULTURE

YOU HAVE A WHS MANAGEMENT SYSTEM, BUT HOW MATURE IS YOUR SAFETY CULTURE?

Most NSW government agencies have mature Work Health & Safety (WHS) Management Systems consisting of policies, procedures, Safe Work Method Statements and other elements.

While these are very important, WHS really takes a life of its own when accountability is given to staff and a safety culture is fostered. This approach not only reduces injuries but changes the attitude of staff to workplace safety.

Centium has developed a Safety Culture Methodology and Maturity Model to measure and enhancing safety culture across an agency. It includes nine broad behaviours, or culture actions, that we consider essential to the development of a positive safety culture: Leadership; Communication; Organisational goals and values; Supportive environment; Responsibility; Learning; Trust in people and systems; Resilience; and Engagement.

Now is the ideal time to take a baseline measure of your agency’s safety culture given the changes and mergers brought on by Machinery of Government changes. It’s quite likely that you may need to merge or amend your WHS Management System with that of another agency or cluster.

Here are some of the ways in which we can help:

• Taking a baseline measure of your agency’s safety culture (to allow comparative measures over time);
• Conducting a “fresh eyes” review of existing WHS management systems and safety culture;
• Refreshing your WHS hazard and risk assessments;
• Updating and unifying WHS management systems, policies and procedures in response to Machinery of Government changes;
• Training your staff to make sure they understand their roles and obligations regarding safe work practices;
• Helping design, implement and measure controls to help enhance your agency’s safety culture.

Contact us to find out more about how we can help your agency to measure and enhance its safety culture and WHS practices, particularly in light of MoG changes.