CYBER security gaps have been flagged as 'high risk' concerns at both Newcastle and Maitland councils in the NSW Auditor General's latest financial audit.
Subscribe now for unlimited access.
or signup to continue reading
Ongoing high risks identified at City of Newcastle include a lack of IT policies and procedures on access and incident management and cyber security, and no cyber security awareness program.
The council has failed to address certain risk items already highlighted in previous reports in the area of IT controls, the audit says, and there was no documented service-level agreement between It and the business.
The IT controls subject to the audit are designed to ensure confidentiality and integrity of systems and data and "underpin the integrity of financial reporting", the report, tabled on June 8, says.
"While IT delivers considerable benefits, it also presents risks that councils need to address," it says.
According to annual reports and the March Quarterly Review 2021, City of Newcastle Council has spent $25.48 million on IT since 2017, and the council's budget for next financial year forecasts further expenditure of $6.345 million.
A spokeswoman said that the council's audit and risk committee was briefed at its meeting in June on the status of audit actions, with 168 completed this year.
"Of the remaining 41 actions that are outstanding, approximately half are on schedule and the remaining are in progress and are high priority to finalise," she said.
The council also recently committed an additional $1 million to address cyber security risks, she said.
"Like all organisations, City of Newcastle is updating its cyber security approach. This includes a new cyber security policy which is expected to be rolled out in the next month.
"Mitigation measures are also in place.
"Cyber security awareness processes are being implemented, reviewed and adapted in response to new and emerging threats."
The Auditor General reported Maitland City Council for three high-risk findings relating to a lack of formal approval and implementation of IT policies and procedures over multiple areas, no cyber security awareness program, gaps in their IT risk register and lack of a service agreement between IT and the business. Gaps in cyber security controls were also identified, along with inconsistent review of changes to employee master data and invoice data entry.
A Maitland Council spokesman said it had already taken action on many of the 2019/2020 audit findings.
"Council has always had cyber security controls in place for the protection of systems and data, which has been demonstrated through rigorous penetration testing programs," he said.
"Although council lacked documentation that reflected these controls, this has since been rectified.
"While council currently has no formal cyber security awareness program established, staff have been advised of cyber security threats as they have emerged. As a result, council's systems have not had a breach in the last six years."
The council was working with Cyber Security NSW to deliver a cyber security awareness program internally, and has had its Creditors Master Data Reports independently reviewed since May 2019 and Employee Master Data Reports since March 2020.
IN THE NEWS:
Our journalists work hard to provide local, up-to-date news to the community. This is how you can continue to access our trusted content:
- Bookmark: newcastleherald.com.au
- Download our app
- Make sure you are signed up for our breaking and regular headlines newsletters
- Follow us on Twitter
- Follow us on Instagram
- Follow us on Google News