A performance audit of the Agencies responsible for ensuring the Australian Public Service complies with cyber security requirements has found their activities failing to be fully active.
In his report Cyber security strategies of non-corporate Commonwealth entities, Auditor-General, Grant Hehir found the Attorney-General’s Department (AGD), the Australian Signals Directorate (ASD) and the Department of Home Affairs did not accurately self-assess their implementation of the Top Four mitigation strategies despite reporting full implementation.
“AGD, ASD and Home Affairs could do more to improve support for the implementation of cyber security requirements,” Mr Hehir said.
“The implementation of cyber security risk mitigation strategies by the selected entities was not fully effective, and did not fully meet the mandatory requirements of the Protective Security Policy Framework (PSPF), Policy 10,” he said.
“Two of three entities did not accurately self-assess implementation of one of the Top Four mitigation strategies for which they reported full implementation.”
Mr Hehir said malicious cyber activity had been identified as one of the most significant threats affecting Australians and AGD, ASD and Home Affairs were the three Agencies with responsibilities of whole-of-Government cyber security policy and operational support.
He said AGD was responsible for the PSPF which provides the framework for Government Entities to achieve the four protective security outcomes; ASD developed the Top Four mitigation strategies mandated by the PSPF and provided material advice to Agencies; and Home Affairs was responsible for the development and coordination of the Government’s cyber security policy.
He said additional ongoing work would be required by the Agencies to assist entities in achieving a more mature and resilient cyber security posture.
Mr Hehir made 13 recommendations aimed at strengthening security controls, improving risk assessments of security events, developing a strategy to improve cyber security maturity, and strengthening arrangements to hold entities to account for the implementation of mandatory cyber security requirements.
The Auditor-General’s Report can be accessed online at this PS News link and his 104-page printed Report at this link.
The Audit team was Esther Barnes, Edwin Apoderado, David Willis, Jason Ralston, Carissa Chen, Kelvin Le, Lesa Craswell and Mark Rodrigues.
