Page title

Local governments collect large volumes of sensitive data to deliver essential services to their communities.

As information and cyber security threats continue to evolve, it is important to take a proactive approach to security and the implementation of controls to protect valuable information and systems.

The Auditor General assessed 45 local governments, tabling the Information Systems Audit Report 2022 – Local Government Entities in Parliament on 28 June 2022. This was further to the Cyber Security in Local Government performance audit report which was tabled on 24 November 2021.

The audit report includes case studies which highlight how weak controls can potentially result in system breaches, loss of sensitive and confidential information, and financial loss. The six key areas raised are:

• Entities did not implement and continuously monitor appropriate policies and procedures to ensure the security of information systems that support their entity business objectives.
• Entities did not have appropriate business continuity, disaster recovery and incident response plans to protect critical systems from disruptive events.
• Entities did not have sufficient understanding of their information assets and documentation to demonstrate IT risks are identified, assessed and treated within appropriate timeframes.
• Entities did not implement policies and procedures to guide key areas of IT operations such as incident management and supplier performance monitoring.
• Entities did not document or approve change control documentation when making changes to IT systems.
• Entities did not have or implement adequate physical and environmental control mechanisms to prevent unauthorised access, or accidental or environmental damage to IT infrastructure and systems.

The extent of the matters identified in the report suggests all local governments need to review their processes, policies and guidelines against these key areas.

All local governments need to ensure they have policies and procedures that address ‘guiding principles’ of the better practice principles to manage cyber security risks the Auditor General provided in Appendix 1 of the Cyber Security in Local Government report.

Further information

• Guiding principles when managing cyber security risks are provided in Appendix 1 of the Cyber Security in Local Government report.
• Guidance and case studies of recent cyber attacks in the public sector are available on the Australian Cyber Security Centre (ACSC) website.
• The ACSC also outlines good practice principles in the Australian Government Information Security Manual and the Essential Eight mitigation strategies.