Posted on March 21, 2019 by Sue Puckeridge and 1

Cyber Security and Local Government: Managing IT Providers

The use of  information technology  systems for internal management functions, to provide services and information to their communities and to exercise regulatory functions is integral to the day to day operation of governmental organisations. External providers are commonly used to manage these IT systems (‘Providers’).

The recent hacking of the Australian Parliament House network is a timely reminder of the need for government to be vigilant in protecting its own information, third party personal information and IT systems.  The NSW Auditor-General’s Report on Local Government 2018 (‘Report‘) indicates that there is scope for local councils to improve the management of Providers.

The Report reviewed whether councils have effective governance controls in place to mange key financial systems and to manage Providers and recommended that councils take steps to control weaknesses in IT systems and more effectively manage Providers. It was noted that most internal control deficiencies in councils related to IT processes and their control environment.

The Report includes the following key observations and recommendations:

• Privileged access to IT systems is not adequately restricted and monitored,
• User access management to IT systems needs to be improved,
• Controls over IT system changes need to be improved,
• Management of Providers needs to be improved,
• IT policies need to be formalised and kept up-to-date, and
• IT risks need to be identified, monitored and reported.

Risk Management Action

Contracts using Providers must properly define the Providers’ responsibilities, allocate risks and require the Providers to have adequate insurance.

Various resources exist to help councils with this task.

The Australian Cyber Security Centre (‘ACSC‘) publishes better practice principles for managed service providers.  Providers should inform their customers whether or not the services to be provided satisfy those principles. IT managers should ask their Providers whether they have joined the ACSC’s ‘Managed Service Provider Partner Program‘. This program is designed to improve the cyber security implemented by managed service Providers in Australia.

In addition, the NSW Government has issued the Cyber Security Policy which applies to all NSW Government Departments and Public Service Agencies from 1 February 2019.  This policy refers to guidelines prepared by ACSC.   The NSW policy is intended to ensure that cyber security risks to information and IT systems are properly managed and is a useful reference.

Adequate contractual terms are critical to managing the risk of outsourcing information and IT systems management. Ultimately, councils remain responsible under various statutes to protect information held in those IT systems and to report data breaches (e.g the State Records Act 1998 (NSW),  the Privacy and Personal Information Protection Act 1998 (NSW) – the electronic management of personal information and the Privacy Act 1988 (Cth)  – notification of data breaches in respect of tax file numbers.

Councils who subscribe to the electronic lodgment network for land transactions also have obligations to protect information provided by others under the Participation Rules pursuant to the Electronic Conveyancing National Law (NSW).

Providers need to understand those obligations and ensure that their services are compliant and risks are managed appropriately on behalf of their customers.

Conclusion

It is important that digital assets are protected from the risks associated with IT systems and the outsourcing of the management of those systems. IT contracts should contain terms which ensure councils are meeting their obligations.  Management and procurement processes should also be regularly reviewed and updated to reflect current best practice and ensure the implementation of best practice.

If you have any questions about this topic please contact Sue Puckeridge on 02 8235 9702.