Australian cyber policy-makers to face Audit Office probe
The Australian National Audit Office (ANAO) has a handful of non-corporate Commonwealth entities in its sights for the next round of cybersecurity probes, with the three entities responsible for cyber policy within the government to face examination.
The Attorney-General’s Department (AGD); Australian Signals Directorate (ASD); Australian Trade and Investment Commission; Department of Education, Skills, and Employment; Future Fund Management Agency; Department of Health; Department of Home Affairs (DHA); IP Australia; and Department of the Prime Minister and Cabinet will all be under the microscope.
The objective of the audit, ANAO said, will be to assess the effectiveness of cybersecurity risk mitigation strategies implemented by the selected entities, to see if they meet mandatory requirements under the Protective Security Policy Framework (PSPF), and if the support provided by the responsible cyber policy entities are sufficient.
The ANAO proposes to examine whether the selected entities have fully implemented the Top Four cybersecurity risk mitigation strategies, or have otherwise adopted strategies and actions to progress towards full implementation.
It will also determine if the three entities responsible for cyber policy in the Commonwealth — ASD, AGD, and DHA — have “worked together to support accurate self-assessment and reporting by non-corporate Commonwealth entities, and to improve those entities’ implementation of cybersecurity requirements under the PSPF”.
The report is due to be tabled in October.
Earlier this month, the Joint Committee of Public Accounts and Audit announced the commencement of an inquiry to consider the cyber resilience of government entities prioritising information security.
Specifically, the committee will examine two Auditor-General’s reports: Cyber Resilience of Government Business Enterprises and Corporate Commonwealth Entities and Implementation of the My Health Record System.
The first report followed ANAO’s examination of Australia Post, Reserve Bank of Australia (RBA), and ASC Pty Ltd, an Australian government business involved with naval shipbuilding.
The audit labelled Australia Post as not effectively managing cybersecurity risks, with the report highlighting weaknesses in the postal service’s implementation of its risk management framework.
ANAO also found that both the RBA and ASC effectively managed cybersecurity risks and that both have implemented controls in line with the requirements of the Information Security Manual, including the Top Four and other mitigation strategies in the Essential Eight.
Meanwhile, in probing the contentious My Health Record, ANAO pointed out a number of security issues concerning its implementation, widely giving the system administrator — the Australian Digital Health Agency — the tick as “largely effective”.
“The ability to design and maintain secure cyber networks is essential in modern governance. As such, it is a priority of the committee to ensure that government entities have the appropriate systems in place to protect information security.” committee chair Lucy Wicks said.
Submissions close 19 March 2020.
Most telco interception warrants are issued by non-judges. Important cybersecurity work isn’t being done. The Information Commissioner lacks funding. Does the government actually care about privacy and security?
Of the 988 ‘substantiated’ privacy incidents experienced in 2017-18, Services Australia said there were some instances of documents containing personal information being released incorrectly.
It took eight days to flush February’s cyber attackers from Australia’s parliamentary network. A procedure to authenticate staff asking to reset their boss’ passwords only came another week later.
The goal of an ‘open and free internet’ has been dropped from Australia’s proposed national cybersecurity strategy. Job done, apparently.