A performance audit of the management of cyber risks at three major Government enterprises has found one of them in need of improvement.
In his report, Cyber Resilience of Government Business Enterprises and Corporate Commonwealth Entities, Auditor-General Grant Hehir assessed the cyber risk management at the Reserve Bank of Australia (RBA), ship-building company ASC Pty Ltd and Australia Post.
Mr Hehir noted that while cyber security was a strategic priority for the Government, it was not mandatory for Government business enterprises and corporate Commonwealth entities to apply the Protective Security Policy Framework.
“Accordingly it is better practice for such entities to implement the Top Four and other Essential Eight mitigation strategies in the Australian Government Information Security Manual,” Mr Hehir said.
He said that while the RBA and ASC had effectively managed cyber security risks, this was not the case with Australia Post.
“All three entities have a fit-for-purpose cyber security risk management framework,” Mr Hehir said.
“ASC and the Reserve Bank have met the requirements of their respective frameworks.
“Australia Post has not met the requirements of its framework, having not implemented all specified key controls.”
He found Australia Post had not fully implemented controls in line with either the Top Four or the four non-mandatory strategies in the Essential Eight.
“The Reserve Bank and ASC are cyber resilient,” Mr Hehir said.
“Australia Post is not cyber resilient but is internally resilient.”
He said the RBA had a strong cyber resilience culture, ASC was developing its culture and Australia Post was working towards embedding a cyber resilience culture within its organisation.
The audit recommended Australia Post conduct risk assessments for all its critical assets where it had not already done so and take immediate action to address any identified extreme risks to those assets and supporting networks and databases.
This was agreed by Australia Post.
The Auditor-General’s 60-page report can be accessed online at this PS News link, or printed at this link and the audit team was Esther Barnes, Edwin Apoderado, Kelvin Le, Jason Ralston, Carissa Chen, David Ma, David Willis, Bola Oyetunji and Andrew Morris.
