The audit objective was to re-assess the three entities' compliance with the 'Top Four' mandatory strategies in the Australian Government Information Security Manual (ISM). The audit also aims to examine the typical challenges faced by entities to achieve and maintain their desired ICT security posture.
In June 2014, ANAO Audit Report No. 50 2013–14, Cyber Attacks: Securing Agencies’ ICT Systems was tabled in Parliament. The report examined seven Australian Government entities’1 implementation of the mandatory strategies in the Australian Government Information Security Manual (Top Four mitigation strategies). The Top Four mitigation strategies are: application whitelisting, patching applications, patching operating systems and minimising administrative privileges. The audit found that none of the seven entities were compliant with the Top Four mitigation strategies and none were expected to achieve compliance by the Australian Government’s target date of 30 June 2014.
The Joint Committee of Public Accounts and Audit held a public hearing to examine Report No. 50 on 24 October 2014. Three of the seven audited entities—the Australian Taxation Office, the Department of Human Services, and the then Australian Customs and Border Protection Service3—appeared before the hearing to explain their plans and timetables to achieve compliance with the Top Four mitigation strategies. Each of the three entities gave assurance to the Joint Committee of Public Accounts and Audit that compliance with the Top Four mitigation strategies would be achieved during 2016.
These three major Australian Government entities are significant users of technology: the Department of Human Services relies on its information and communications technology (ICT) systems to process $172 billion in payments annually; through its electronic lodgement systems Australian Taxation Office collects over $440 billion in gross tax revenue annually; and the Department of Immigration and Border Protection electronically processes around seven million visas annually and inspects and examines around two million air and sea cargo imports and exports.
All three entities collect, store and use data, including national security data and personally identifiable information that can be used to identify, contact, or locate an individual such as date of birth, bank account details, driver’s licence number, tax file number and biometric data.
Not operating in a cyber resilient environment puts entities’ data and business processes at risk, with potentially significant consequences for Australian citizens and other clients and stakeholders.
Audit objective and criteria
The objective for this audit was to assess whether the Australian Taxation Office, the Department of Human Services, and the Department of Immigration and Border Protection are compliant with the Top Four mitigation strategies in the Australian Government Information Security Manual. The audit also examined entities’ cyber resilience, which includes establishing a sound ICT general controls framework and effectively implementing the Top Four mitigation strategies.
To form a conclusion against the audit objective, the ANAO adopted the following high level assessment criteria: do the entities comply with the Top Four mitigation strategies; and are entities cyber resilient?
The ANAO assessed that of the three entities only the Department of Human Services was compliant with the Top Four mitigation strategies. The Department of Human Services also accurately self-assessed compliance against the Top Four mitigation strategies and met its commitment to the Joint Committee of Public Accounts and Audit of achieving compliance during 2016.
Of the three entities, only the Department of Human Services was cyber resilient. Cyber resilience is the ability to continue providing services while deterring and responding to cyber attacks. Cyber resilience also reduces the likelihood of successful cyber attacks. To progress to being cyber resilient, the Australian Taxation Office and the Department of Immigration and Border Protection need to improve their governance arrangements and prioritise cybersecurity.ANAO's recommendations are -
1 The ANAO recommends that entities periodically assess their cybersecurity activities to provide assurance that: they are accurately aligned with the outcomes of the Top Four mitigation strategies and entities’ own ICT security objectives; and that they can report on them accurately. This applies regardless of whether cybersecurity activities are insourced or outsourced.
2 The ANAO recommends that entities improve their governance arrangements, by: asserting cybersecurity as a priority within the context of their entity-wide strategic objective; ensuring appropriate executive oversight of cybersecurity; implementing a collective approach to cybersecurity risk management; and conducting regular reviews and assessments of their governance arrangements to ensure its effectiveness.