ANAO in summary comments
Background
1. Cyber security is a strategic priority for the Australian government. A secure cyberspace provides trust and confidence for individuals, business and the public sector to share ideas, collaborate and innovate.
2 To strengthen trust online, effective implementation of a comprehensive cyber security strategy across government systems is critical to protect Australians’ privacy and Australia’s social, economic and national security interests from targeted cyber intrusions and emerging cyber threats. The Attorney-General’s Department Protective Security Policy Framework outlines the core requirements for the effective use of protective information and communications technology (ICT) security.
2. In February 2017, the Australian Signals Directorate issued the updated Strategies to Mitigate Cyber Security Incidents as a priority list of practical actions entities can take to make their ICT environment more secure. It referred to these cyber security strategies as the Essential Eight and recommended that entities implement the strategies as a security baseline. In June 2017, the Australian Signals Directorate also released the Essential Eight Maturity Model, to assist entities to assess the level of implementation of the Essential Eight mitigation strategies. A revised Model was issued in October 2017.
3. Of the eight mitigation strategies, four are mandatory (the Top Four). Since 2013, entities have been required to undertake an annual self-assessment against the mandatory requirements of the Protective Security Policy Framework. Key elements to achieving compliance with the mandatory mitigation strategies are: sufficient investment; appropriate processes; and a culture that recognises the importance of and requirements for cyber resilience.
4. Three entities were included in the audit: Department of the Treasury (Treasury), National Archives of Australia (National Archives), and Geoscience Australia. These entities were selected based on the character and sensitivity of the information collected, stored and reported.
5. Since 2013–14, the Australian National Audit Office (ANAO) has conducted three performance audits to assess the cyber resilience of 11 different government entities.4 These audits have identified high rates of non-compliance with the requirements of the Protective Security Policy Framework.
Audit rationale
6. The ANAO decided to conduct this fourth audit of entities’ management of cyber risks recognising ongoing parliamentary interest (including enquiries by the Joint Committee of Public Accounts and Audit) and the level of non-compliance with mandatory requirements identified in previous audits. In Report 467: Cybersecurity Compliance, the Joint Committee of Public Accounts and Audit recommended that the ANAO outlines the behaviours and practices it would expect in a cyber resilient entity and assess against these. Audit objective and criteria
7. The objective of the audit was to assess the effectiveness of the management of cyber risks by the Department of the Treasury, National Archives of Australia and Geoscience Australia.
8. The audit criteria were: do entities have effective arrangements in place for managing cyber risks; do entities monitor and report against cyber security deliverables; and were entities cyber resilient, with a culture of cyber resilience?
Conclusion
9. As with the ANAO’s previous audits of cyber security, this audit identified relatively low levels of effectiveness of Commonwealth entities in managing cyber risks, with only one of the three audited entities compliant with the Top Four mitigation strategies. None of the three entities had implemented the four non-mandatory strategies in the Essential Eight and were largely at early stages of consideration and implementation. These findings provide further evidence that the implementation of the current framework is not achieving compliance with cyber security requirements, and needs to be strengthened.
10. Of the three entities, only Treasury was compliant with the Top Four mitigation strategies and cyber resilient. National Archives was not compliant with the Top Four mitigation strategies but had sound ICT general controls and so was assessed as not cyber resilient but internally resilient. Geoscience Australia was not compliant with the Top Four mitigation strategies and did not have sound ICT general controls so was assessed as vulnerable to cyber attacks. All three entities had implemented only one of the four non-mandatory mitigation strategies in the Essential Eight, and were not well progressed in considering an implementation position for the other three strategies. Figure S.1 shows each entity’s cyber resilience.
11. Two entities had accurately self-assessed and reported their level of compliance with the Top Four mitigation strategies, and the other entity had not. There are shortcomings in the Essential Eight Maturity Model that limits its usefulness in its current form, and could lead to entities inadvertently overstating their cyber security compliance if it is used in performing the self-assessment. With activities underway to revise security reporting under the Protective Security Policy Framework, it is timely to also strengthen guidance supporting entities to self-assess compliance with the mandatory mitigation strategies and processes to verify the correctness of those assessments.
12. The three entities had partly effective arrangements for managing cyber security risks, with specialist staff in dedicated security positions contributing to existing ICT processes and broader business models. However, the entities did not adopt a risk-based approach to prioritise improvements to cyber security, with cyber security investments focused on short-term operational needs rather than long-term strategic objectives. Until the National Archives and Geoscience Australia achieve compliance with the mandatory strategies, it is inappropriate to consider that a positive cyber resilience culture is in place.