Posted on March 21, 2019 by Sue Puckeridge and 1
Cyber Security and Local Government: Managing IT Providers
The use of information technology systems for internal management functions, to provide services and information to their communities and to exercise regulatory functions is integral to the day to day operation of governmental organisations. External providers are commonly used to manage these IT systems (‘Providers’).
The recent hacking of the Australian Parliament House network is a timely reminder of the need for government to be vigilant in protecting its own information, third party personal information and IT systems. The NSW Auditor-General’s Report on Local Government 2018 (‘Report‘) indicates that there is scope for local councils to improve the management of Providers.
The Report reviewed whether councils have effective governance controls in place to mange key financial systems and to manage Providers and recommended that councils take steps to control weaknesses in IT systems and more effectively manage Providers. It was noted that most internal control deficiencies in councils related to IT processes and their control environment.
The Report includes the following key observations and recommendations:
- Privileged access to IT systems is not adequately restricted and monitored,
- User access management to IT systems needs to be improved,
- Controls over IT system changes need to be improved,
- Management of Providers needs to be improved,
- IT policies need to be formalised and kept up-to-date, and
- IT risks need to be identified, monitored and reported.
Risk Management Action
Contracts using Providers must properly define the Providers’ responsibilities, allocate risks and require the Providers to have adequate insurance.
Various resources exist to help councils with this task.
The Australian Cyber Security Centre (‘ACSC‘) publishes better practice principles for managed service providers. Providers should inform their customers whether or not the services to be provided satisfy those principles. IT managers should ask their Providers whether they have joined the ACSC’s ‘Managed Service Provider Partner Program‘. This program is designed to improve the cyber security implemented by managed service Providers in Australia.
In addition, the NSW Government has issued the Cyber Security Policy which applies to all NSW Government Departments and Public Service Agencies from 1 February 2019. This policy refers to guidelines prepared by ACSC. The NSW policy is intended to ensure that cyber security risks to information and IT systems are properly managed and is a useful reference.
Adequate contractual terms are critical to managing the risk of outsourcing information and IT systems management. Ultimately, councils remain responsible under various statutes to protect information held in those IT systems and to report data breaches (e.g the State Records Act 1998 (NSW), the Privacy and Personal Information Protection Act 1998 (NSW) – the electronic management of personal information and the Privacy Act 1988 (Cth) – notification of data breaches in respect of tax file numbers.
Councils who subscribe to the electronic lodgment network for land transactions also have obligations to protect information provided by others under the Participation Rules pursuant to the Electronic Conveyancing National Law (NSW).
Providers need to understand those obligations and ensure that their services are compliant and risks are managed appropriately on behalf of their customers.
Conclusion
It is important that digital assets are protected from the risks associated with IT systems and the outsourcing of the management of those systems. IT contracts should contain terms which ensure councils are meeting their obligations. Management and procurement processes should also be regularly reviewed and updated to reflect current best practice and ensure the implementation of best practice.
If you have any questions about this topic please contact Sue Puckeridge on 02 8235 9702.
Leave a comment
in focus comments policy
LTL welcomes your feedback and comments on our posts. all comments, however, will be moderated and we reserve the right not to publish any comment for any reason.
LTL in focus is primarily designed for public sector and development professionals dealing in the fields of planning, environment and government. you may, therefore, wish to consult your organisation’s social media policy before you post any comments. it should go without saying that we expect all comments to maintain a level of respect and professional courtesy.
Please note we are unable to provide specific legal advice via these comments. If you wish to engage us to provide legal advice on a matter, please contact our office directly.
In making a comment you are required to provide your email address, this will not be published on the site. if the moderator chooses to publish your comment, the name you provide will be published with your comment – it is your choice whether you provide your full name or just your first name. if you provide your full name, we may seek to verify your identity prior to publication of your first comment. If you wish your comment to be directed only to the author or moderator please make that clear – marking it NFP or Not For Publication is the easiest way. thank you for your support and happy reading – matthew mcnamara, ceo.