An audit of the management of cyber risks in three Australian Public Service Agencies collecting and storing sensitive information has found, once again, that the risks are not being adequately dealt with.
In his report, Cyber Resilience, Auditor-General, Grant Hehir assessed the effectiveness of managing cyber risks in the Department of the Treasury, the National Archives of Australia and Geoscience Australia, in particular how they lined up against the Australian Signals Directorate’s Strategies to Mitigate Cyber Security Incidents issued in 2017.
“As with the Australian National Audit Office’s (ANAO) previous audits of cyber security, this audit identified relatively low levels of effectiveness of Commonwealth entities in managing cyber risks, with only one of the three audited entities compliant with the top four mitigation strategies,” Mr Hehir said.
He said the three entities were selected based on the character and sensitivity of the information collected, stored and reported.
“Since 2013–14, the ANAO has conducted three performance audits to assess the cyber resilience of 11 different Government entities,” the Auditor-General said.
“These audits have identified high rates of non-compliance with the requirements of the Protective Security Policy Framework.”
Mr. Hehir said that none of the three entities in the latest audit had implemented the four non-mandatory strategies in the ‘Essential Eight’ and were largely at early stages of consideration and implementation.
“These findings provide further evidence that the implementation of the current framework is not achieving compliance with cyber security requirements, and needs to be strengthened,” he said.
“Only Treasury was compliant with the top four mitigation strategies and cyber resilient.
“National Archives was not compliant with the top four mitigation strategies but had sound ICT general controls and so was assessed as not cyber resilient but internally resilient.”
He said Geoscience Australia was not compliant with the top four mitigation strategies and did not have sound ICT general controls so was assessed as vulnerable to cyber-attacks.
The audit made two recommendations which were agreed by relevant Agencies.
The Auditor-General’s 72-page report can be accessed at this PS News link.
and the audit team was Alex Doyle, William Na, Matthew Rigter, Lisa Elkner, Kelvin Le, Carissa Chen, Pooja Bajaj, Elenore Karpfen and Andrew Morris.
