Support and advice for local governments

The Auditor General assessed 45 local governments, tabling the Information Systems Audit Report 2022 – Local Government Entities in Parliament on 28 June 2022. This followed the Cyber Security in Local Government performance audit report which was tabled on 24 November 2021.

These audit reports highlight how inadequate and/or insufficient controls can potentially result in system breaches, the compromising of sensitive and confidential information and financial loss. In particular, recent public cyber security threats require a proactive approach to security and the implementation of controls to protect valuable information and systems.

Six key issues identified in the report are:

• Entities did not implement and continuously monitor appropriate policies and procedures to ensure the security of information systems that support their business objectives.
• Entities did not have appropriate business continuity, disaster recovery and incident response plans to protect critical systems from disruptive events.
• Entities did not have sufficient understanding of their information assets and documentation to demonstrate IT risks are identified, assessed and treated within appropriate timeframes.
• Entities did not implement policies, procedures and training to guide key areas of IT operations such as incident management and supplier performance monitoring.
• Entities did not document or approve change control documentation when making changes to IT systems.
• Entities did not have or implement adequate physical and environmental control mechanisms to prevent unauthorised access, or accidental and environmental damage, to IT infrastructure and systems.

All local governments need to ensure they have policies and procedures that address ‘guiding principles’ of the better practice principles to manage cyber security risks the Auditor General identified in Appendix 1 of the Cyber Security in Local Government report.

Action plans addressing significant matters related to the local government must be submitted to the Minister for Local Government and published on the local government’s website.

The action plan must address the points above, as they relate to the local government in question. 

For further information:

• Review the Auditor General’s reports (linked above).
• View Appendix 1 Better Practice Principles of the Cyber Security in Local Government Auditor General’s report.
• View the good practice principles in the Australian Government Information Security Manual (Information Security Manual (ISM) | Cyber.gov.au) and the Essential Eight controls (Essential Eight | Cyber.gov.au) to protect systems and information.

The Auditor General assessed 45 local governments, tabling the Information Systems Audit Report 2022 – Local Government Entities in Parliament on 28 June 2022. This followed the Cyber Security in Local Government performance audit report which was tabled on 24 November 2021.

These audit reports highlight how inadequate and/or insufficient controls can potentially result in system breaches, the compromising of sensitive and confidential information and financial loss. In particular, recent public cyber security threats require a proactive approach to security and the implementation of controls to protect valuable information and systems.

Six key issues identified in the report are:

• Entities did not implement and continuously monitor appropriate policies and procedures to ensure the security of information systems that support their business objectives.
• Entities did not have appropriate business continuity, disaster recovery and incident response plans to protect critical systems from disruptive events.
• Entities did not have sufficient understanding of their information assets and documentation to demonstrate IT risks are identified, assessed and treated within appropriate timeframes.
• Entities did not implement policies, procedures and training to guide key areas of IT operations such as incident management and supplier performance monitoring.
• Entities did not document or approve change control documentation when making changes to IT systems.
• Entities did not have or implement adequate physical and environmental control mechanisms to prevent unauthorised access, or accidental and environmental damage, to IT infrastructure and systems.

All local governments need to ensure they have policies and procedures that address ‘guiding principles’ of the better practice principles to manage cyber security risks the Auditor General identified in Appendix 1 of the Cyber Security in Local Government report.

Action plans addressing significant matters related to the local government must be submitted to the Minister for Local Government and published on the local government’s website.

The action plan must address the points above, as they relate to the local government in question. 

For further information:

• Review the Auditor General’s reports (linked above).
• View Appendix 1 Better Practice Principles of the Cyber Security in Local Government Auditor General’s report.
• View the good practice principles in the Australian Government Information Security Manual (Information Security Manual (ISM) | Cyber.gov.au) and the Essential Eight controls (Essential Eight | Cyber.gov.au) to protect systems and information.