NSW Auditor-General not impressed by government agencies cyber security risk management

“Specific financial reporting, controls and service delivery comments are included in the individual 2017 cluster financial audit reports tabled in Parliament from October to December 2017.” [NSW Auditor-General, Report on Internal Controls and Governance 2017, December 2017]

On 20 December 2017 the NSW Auditor-General released the Report on Internal Controls and Governance 2017.

The Sydney Morning Herald reported on 28 December 2017:

Two-thirds of NSW government agencies are failing to properly safeguard their data, increasing the risk of improper access to confidential information about members of the public and identity fraud by cyber criminals.

The finding has emerged from an audit of dozens of government agencies, including those holding highly sensitive personal information collected from millions of citizens, such as NSW Health, the department of education, NSW Police Force, Roads and Maritime Services and the justice department.

While the report by auditor-general Margaret Crawford does not name the agencies failing to properly manage privileged access to their systems, it highlights the potential consequences.

"Personal information collected by public sector agencies about members of the public is of high value to cyber criminals, as it can be used to create false identities to commit other crimes," she says in the report.

"Despite these risks, we found that one agency had 37 privileged user accounts, including 33 that were dormant. The agency had no formal process to create, modify or deactivate privileged users."

Overall, Ms Crawford's report found 68 per cent of NSW government agencies "do not adequately manage privileged access to their systems".

In addition, she said, the audit determined that 61 per cent of agencies "do not regularly monitor the account activity of privileged users".

"This places those agencies at greater risk of not detecting compromised systems, data breaches and misuse," the report said.

The audit found 31 per cent of agencies "do not limit or restrict privileged access to appropriate personnel". Of those, just one-third monitor the account activity of privileged users.

It found that almost one-third of agencies breach their own security policies on user access.

The report warns that if agencies fail to implement proper controls "they may also breach NSW laws and policies and the international standards that they reference".

Read the full article here.

List of NSW Government Agencies Examined by NSW Auditor-General

Education

Department of Education

Family and Community Services

Department of Family and Community Services

New South Wales Land and Housing Corporation

Finance, Services and Innovation

Department of Finance, Services and Innovation * Specifically identified in report

Place Management NSW

Property NSW

Service NSW

Health

NSW Health

Industry

Department of Industry

Destination NSW

Forestry Corporation of New South Wales

Office of Sport

TAFE Commission

Water NSW

Justice

Department of Justice

Fire and Rescue NSW

Legal Aid Commission of New South Wales

NSW Police Force

Office of the NSW Rural Fire Service

Planning and Environment

Department of Planning and Environment

Essential Energy

Hunter Water Corporation

Landcom

Office of Environment and Heritage

Office of Local Government

Sydney Water Corporation

Premier and Cabinet

Department of Premier and Cabinet

Transport

NSW Trains

Rail Corporation New South Wales

Roads and Maritime Services

Sydney Trains

Transport for NSW

WCX M4 PTY Limited

WCX M5 PTY Limited

Treasury

Crown Finance Entity

Insurance and Care NSW

Lifetime Care and Support Authority

NSW Treasury Corporation

NSW Self Insurance Corporation

Excerpt from Report on Internal Controls and Governance 2017:

Some deficiencies were common across agencies

The most common internal control deficiencies were poor or absent IT controls related to:

user access management

password management

privileged access management

user acceptance testing.

The most common governance deficiencies related to:

management of cyber security risks

capital project governance

management of shared service arrangements

conflicts-of-interest management

gifts-and-benefits management

risk management maturity

ethical behaviour policies and statements.

Can you even imagine personally owing the NSW Government over $204k in unpaid fines? Somebody in the Northmead area can.

As of 30 June 2017 approximately 515,437 debtors owed the NSW State Debt Recovery Office a whopping $839,762,236 as a result of 2,524,845 fines being generated.

The nature of these fines range from penalty notices (e.g. parking fines) through to court fines, State Electoral Office fines, Sheriff Office Jury Branch fines and Bail Forfeiture Orders.

These fines are all overdue and an unknown number of these debtors are serial defaulters.

Here are the top five serial offenders:

The person owing the largest dollar amount hails from the Northmead area, the second largest has an address in the vicinity of Waterloo-Zetland, the third is somewhere in Artarmon and, the fourth & fifth seem to call the Eastern Suburbs home.

In the 2016-17 financial year the State Debt Recovery Office wrote off est. $68.23 million in  debt still outstanding.

Are NSW police racially profiling young offenders?

Junkee, 26 October 2017:

A NSW Police intelligence program that uses secret algorithms to identify suspects who may commit a “future crime” is disproportionately targeting young people and Aboriginal and Torres Strait Islander people, according to a comprehensive new report.

The ‘Policing Young People in NSW’ report was published by the Youth Justice Coalition, a network of youth workers, lawyers, academics and policy experts. It was written by Dr Vicki Sentas, an academic at the University of New South Wales, and Camilla Pandolfni, a solicitor at the Public Interest Advocacy Centre.

The report is the first comprehensive look at the Suspect Targeting Management Plan (STMP), a NSW Police program that “seeks to prevent future offending by targeting repeat offenders and people police believe are likely to commit future crime”.

The STMP involves the use of “risk assessment tools” and algorithms that take into account a series of “risk factors” to identify potential future criminals. Suspects in the program are categorised on a scale from “low risk” to “extreme risk” and then targeted by police officers through regular house visits and the use of stop and search powers.

The criteria used to identify suspects is not publicly available, and individuals targeted through the STMP are not notified of the reasons behind their risk categorisation. The whole program is managed internally by the police and there are no specific laws or regulations governing its operation.

Excerpt from Youth Justice Coalition Report, Policing Young People in NSW: A study of the Suspect Targeting Management Plan:

The preliminary findings based on this research are:

* Disproportionate use against young people and Aboriginal people: Data shows the STMP disproportionately targets young people, particularly Aboriginal and Torres Strait Islander people, and has been used against children as young as ten.

* Patterns of ‘oppressive policing’ that may be damaging relationships between police and young people: Young people targeted on the STMP experience a pattern of repeated contact with police in confrontational circumstances such as through stop and search, move on directions and regular home visits. The STMP risks damaging relationships between young people and the police. Young people, their families or legal representatives are rarely aware of criteria used to add or remove people from the STMP. As the case studies show, young people experience the STMP as a pattern of oppressive, unjust policing.

* Increasing young people’s costly contact with the criminal justice system and no observable impact on crime prevention: The STMP has the effect of increasing vulnerable young people’s contact with the criminal justice system. Application of the STMP can be seen to undermine key objectives of the NSW youth criminal justice system, including diversion, rehabilitation and therapeutic justice. The research has identified several instances where Aboriginal young people on Youth Koori Court therapeutic programs have had their rehabilitation compromised by remaining on the STMP. There is no publicly available evidence that the STMP reduces youth crime.

* Encouraging poor police practice: In some instances, the exercise of police search powers in relation to a young person on the STMP have been found unlawful by the courts. The STMP may be inadvertently diminishing police understanding of the lawful use of powers (set out in the Law Enforcement Police Powers and Responsibilities Act 2002 (NSW) (LEPRA)) and thereby exposing police to reduced efficacy and civil action. * No transparency and an absence of oversight, scrutiny or evaluation: The operation of the STMP is not transparent or accountable. Criteria for placement on the STMP are not publicly available, individuals cannot access their STMP plan and it is unclear what criteria are used by police to remove a person from the STMP…..

Based on the research and findings presented here, the report recommends that:

1. NSW Police discontinue applying the STMP to children under 18. Children suspected of being at medium or high risk of reoffending should be considered for evidence-based prevention programs that address the causes of reoffending (such as through Youth on Track, Police Citizens Youth Clubs NSW (PCYC) or locally based programs developed in accordance with Just Reinvest NSW), rather than placement on an STMP.

2. NSW Police make the STMP policy and operational arrangements publicly available to enable transparency and accountability.

3. NSW Police amend the STMP policy so that any person considered to have a ‘low risk’ of committing offences not be subject to the STMP.

4. NSW Police amend the STMP Policy to mandate formal notification by police to any individual placed on a STMP, including reasons for placement on the STMP and the date of next review. Subsequent notifications to individuals on an STMP should outline the outcome of the review and reasons for the STMP being maintained or discontinued.

5. NSW Police make data on the STMP publicly available through the NSW Bureau of Crime Statistics and Research (BOCSAR). Available data should include demographic information (age, Aboriginal or Torres Strait Islander status, ethnicity, Local Area Command LAC), as well as data on the length of time enrolled in the STMP and the category of risk determined.

6. NSW Police commission BOCSAR to evaluate whether the STMP is reducing youth crime.

7. NSW Police provide all police officers with formal training on the STMP which:

i. Clarifies its status as an intelligence tool;

ii. Provides guidance on the criteria for inclusion and exclusion from the program and the alternative programs available;

iii. Sets out its operational requirements, and limits; and iv. Provides guidance on the relationship of the STMP to the law. For example, training should clarify that a persons’ inclusion on an STMP cannot provide a basis for grounding a reasonable suspicion (either on its own or together with a number of other factors) under LEPRA.

8. The Law Enforcement Conduct Commission (LECC) conduct a comprehensive review of the STMP.1 The terms of reference of the recommended LECC review should include consideration of whether the STMP:

i. is effective and appropriate in dealing with the risk of offending in young people under 25 and children;

ii. is effective and appropriate in dealing with the risk of offending in adults;

iii. is effective and appropriate in relation to other vulnerable people (as defined in clause 28 of the Law Enforcement (Powers and Responsibilities) Regulation 2016), including those with impaired intellectual or physical functioning, Aboriginal and Torres Strait Islander peoples and persons from non-English speaking backgrounds;

iv. is consistent with NSW policy and practice for juvenile justice including principles of diversion from the criminal justice system as well as NSW law, including the Young Offenders Act 1997 (NSW), and the Law Enforcement (Powers and Responsibilities) Act 2002 (NSW); and

v. is consistent with NSW Police policies and practices for policing children and young people, including the NSW Police Force Youth Strategy, as well as the Aboriginal Strategic Direction and Aboriginal Action Plans, the NSW Domestic Violence Strategy, the NSW Police Disability Inclusion Action Plan and all other policies and procedures regarding vulnerable persons.

In the course of the review, the LECC should consult with other professional disciplines such as mental health practitioners, Family and Community Services Managers, the Department of Justice, and community workers about best practice in diversion, crime prevention and the needs of young people.

Finally, this report is the first publicly available study about the STMP. The unjustified secrecy around the STMP has prevented appropriate, transparent, program evaluation and more thorough examination of the impact the STMP is having on young people, crime prevention and police practice. This report’s conclusion that the operation of the STMP is likely to be having damaging effects on young people is compelling grounds for further investigation and external scrutiny.

Liberal disunity on show in NSW

Echo NetDaily, 10 March 2017:

NSW Premier Gladys Berijiklian is without a parliamentary secretary after the shock resignation of Lennox Head-based Liberal MLC Catherine Cusack.

Divisions within the government are beginning to show, with the premier’s office on Thursday announcing it had accepted Ms Cusack’s resignation after an explosive email was leaked to the media.

The email, sent by Ms Cusack to the premier following a factional meeting on Wednesday night, strongly criticised the makeup of Ms Berejiklian’s new cabinet.

‘If the situation was not already offensive enough, if you ever say again you made these decisions “on merit”, I swear I will resign from the Liberal Party and join the cross bench’, Ms Cusack reportedly wrote.

She also took aim at Energy Minister Don Harwin, whose controversial promotion to cabinet has already ruffled feathers within the party.

ABC News, 10 March 2017:

Outspoken NSW Liberal MP Catherine Cusack has withdrawn her threats to move to the crossbench, but is standing by her criticism of Premier Gladys Berejiklian's Cabinet appointments.

Late on Wednesday night, Ms Cusack sent a furious email to Ms Berejiklian criticising her ministerial line-up, saying it was based on factions rather than merit.

"If you say one more time that the Cabinet is based on merit, I will resign from the Liberal Party," Ms Cusack wrote in the email.

The Upper House MP, who yesterday quit as parliamentary secretary, said she now regretted sending the damning email, calling it a huge error of judgement. But she said she stood by her comments about Don Harwin being selected as the state's new energy minister.

Ms Berejiklian suggested Ms Cusack's fiery email may be a case of sour grapes after being overlooked for a position on the Government's frontbench.

"I don't blame people for being disappointed for not being in Cabinet," she said.

"She is entitled to her opinion, but I don't support her views; all of my colleagues have my full support."

Social Housing Minister Pru Goward rejected Ms Cusack's suggestion that the Cabinet was selected based on factions rather than merit.

North Coast marine species protection record of NSW Coalition Government a very sad affair in 2017

One dead Great White Shark and 30 dead in non-target/ innocuous marine species. The NSW Coalition Government has a worse by-catch kill rate than many super trawlers.

NSW North Coast Shark Meshing Trial Report

Report period: 8 Jan 2017 – 7 Feb 2017

Over 8 Jan – 7 Feb 2017 nets were deployed on 27–31 days at five beaches and each checked 28-39 times (Table 1). The contractors are required to check the mesh nets twice a day, but if the weather or bar conditions prevent safe access, then fewer checks are made.

Table 1: The number of days that mesh nets were deployed at each beach, and the number of times each mesh net was checked over 8 Jan - 7 Feb 2017.

Beach	Number of days net deployed	Number of time net checked
Seven Mile, Lennox Head	27	28
Sharpes, Ballina	27	28
Shelly, Ballina	27	29
Lighthouse, Ballina	27	29
Main, Evans Head	31	39

During the second month, 72 individuals across 11 species were caught in the mesh nets

56% were released

44% were deceased and had tissue samples retained for analyses (Table 2).

of the three target shark species (White, Tiger and Bull Sharks), one White Shark was caught in the mesh nets at Sharpes Beach; the animal was deceased and retained for analysis.

      Table 2: The numbers of each species caught in the mesh nets that were alive and released, or dead at each beach.

Beach	Species	Number alive	Number dead
Seven Mile, Lennox Head	Cownose ray	1	0
	Loggerhead turtle	1	0
	Manta ray	0	1
	Whitespotted guitar fish	1	0
Sharpes, Ballina	Cownose ray	1	0
	Great hammerhead shark	0	2
	White shark	0	1
	Green turtle	0	1
	Manta ray	2	3
Shelly, Ballina	Bottlenose dolphin	0	1
	Cownose ray	3	2
	Great hammerhead shark	0	1
	Manta ray	0	1
	Spotted eagle ray	3	0
Lighthouse, Ballina	Cownose ray	3	2
	Great hammerhead shark	0	4
	Ocellated eagle ray	1	0
	Spotted eagle ray	1	0
Main, Evans Head	Cownose ray	17	7
	Great hammerhead shark	0	3
	Loggerhead turtle	0	1
	Manta ray	0	1
	Ocellated eagle ray	1	1
	Spinner shark	1	0
	Spotted eagle ray	4	0
Total		40	32