Reporting and attestation
Reporting obligations
Portfolio CISOs, and/or central portfolio cyber security teams, are to coordinate NSW Cyber Security Policy reporting across their portfolio.
By 30 June each year, portfolio CISOs are to provide Cyber Security NSW with an updated list of all agencies in their portfolio, with confirmation of how they will be reporting, in a template provided by Cyber Security NSW.
By 31 October each year, Cyber Security NSW must be provided with a report for each agency, either via the portfolio CISO or directly to Cyber Security NSW. Reporting must include:
- an assurance assessment against all Mandatory Requirements in the NSW Cyber Security Policy for the previous financial year
- cyber security risks with a residual rating of high or extreme
- an attestation on cyber security.
Agencies have an obligation to ensure reporting reflects an accurate and verifiable assessment of the Mandatory Requirements, as well as implementation of other requirements in the NSW Cyber Security Policy. As such, agencies must:
- compile and retain, in accessible form, evidence that demonstrates the basis of their assurance assessment
- resolve discrepancies and inaccuracies identified in their reporting, including discrepancies between their reported control implementation and scope, and what is demonstrable with evidence
- ensure their attestations refer to any departures from the requirements of the NSW Cyber Security Policy (see: Attestation).
Mandatory Requirement reporting
By 31 October each year, Cyber Security NSW must be provided with a report for each agency, either via the portfolio CISO or directly to Cyber Security NSW. Agencies must complete an assurance assessment against the Mandatory Requirements in the NSW Cyber Security Policy. It is possible to have a response of “not applicable” with an explanation that is acceptable to your agency (see: Exemptions and extensions).
Risk reporting
By 31 October each year, Cyber Security NSW must be provided with a list of the high or extreme residual cyber risks for each agency, in a format provided by Cyber Security NSW. This list can be provided via the portfolio CISO or directly to Cyber Security NSW. If an agency does not have any high or extreme residual cyber risks, they can provide a response of “not applicable”.
Residual risks must be tracked and managed in a risk register and reviewed in accordance with the agency’s enterprise risk management framework. Risks exceeding the risk appetite and risk tolerance must be escalated to the Agency Head, or authorised officer who is responsible for risk acceptance.
As part of the threat-based risk management component of the NSW Cyber Security Policy, agencies are encouraged to also report on key threats identified by the agency, as well as associated risks and mitigations, using the provided template.
Attestation
Agencies must provide a signed annual attestation for the previous financial year to Cyber Security NSW by 31 October each year. If more than one agency is included in the attestation, a list of all the agencies should be detailed within the attestation itself.
The attestation should address:
- whether the agency has assessed its cyber security risks
- whether the agency has cyber security residual risks that exceed the agency’s risk appetite
- whether the agency has adequately reported its cyber security assessment, in compliance with the NSW Cyber Security Policy
- in the case of machinery-of-government changes, the periods of time entities are responsible for respective controls
- whether cyber security is appropriately addressed at agency governance forums
- what the agency is doing to continuously improve the management of cyber security governance and resilience.
In the attestation, the Agency Head must sign off on any Mandatory Requirements that have been assessed as not met or partially met in the assurance assessment (noting that agencies are not expected to have fully met all Mandatory Requirements in the 2023-2024 financial year of NSW Cyber Security Policy reporting, as this reporting year is intended as a baseline only).
There is no expected format for the attestation, as long as the above requirements are explicitly addressed.