Response from the Department of Pre

Response from the Department of Premier and Cabinet

Thank you for the opportunity to respond to your performance audit conducted on whole of Government electronic information security.

The Audit and its findings are both a relevant and timely contribution to the current initiatives and actions already being taken involving the review and revision of the Government’s Information and Communication Technology (ICT) policy and forward strategy.

There is no question about the importance of good information security management to the NSW Government, and that there are significant potential risks to be managed, and significant potential costs from information security breaches.

It should be noted that the performance audit has not identified any systemic information security problems within the NSW Government. There is nevertheless the need to properly manage information security risks, and consider future risks and possible problems.

To this end, the existing Government policy on the security of electronic information as provided for in Ministerial Memorandum M2007-04 is now being reconsidered. This includes specifically the appropriateness of the currently mandated requirements for compliance certification. As the Audit notes there are opportunities to achieve greater consistency in implementation throughout the sector.

The Government already has in place a range of mechanisms directed toward the identification and management of information security risks. This includes legislation governing privacy, corruption and financial and records management, as well as NSW Treasury requirements in relation to audit, risk and asset management, procurement, financial management and annual reporting.

Notwithstanding these requirements, the Audit recommends establishing minimum standards and requirements for consistent processes to manage and information assurance risks, as well as strengthening accountability through improved scrutiny and transparency. These initiatives are supported, subject to the outcome of the reforms currently under consideration by Government.

It is pleasing that the Audit has reported that a number of the current key initiatives being implemented within the NSW public sector including the recent agency amalgamations, corporate and shared service reforms and current high level review of ICT strategy and governance are conducive to consolidated whole of government effort and the opportunity for better security of electronic information.

The need to maintain the integrity of information security outcomes is not in dispute, the need to mandate certification requirements remains a contestable strategy. It may be preferable to require agencies to implement information security management systems consistent with international industry standards.



All agencies are required to comply with the Government’s Internal Audit and Risk Management Policy for the NSW Public Sector. The Treasury Policy provides a general framework for applying and auditing risk management – Treasury Circular TC 09/08 and Treasury Policy & Guidelines Paper TPP09-5.

The findings of the performance audit and recommendations arising will be referred for consideration in the current Government review of ICT Strategy.




(signed)

Brendan O’Reilly
Director General