The Reserve Bank and naval vessel manufacturer ASC have “effectively managed cyber security risks” but Australia Post has not, according to the latest report on public sector cyber resilience from federal auditor-general Grant Hehir.
“Australia Post has not effectively managed cyber security risks, and should continue to implement its cyber security improvement program and key controls across all its critical assets to enable cyber risks to be within its tolerance level,” says this week’s instalment in the series, which is all about corporate entities. These bodies have much more independence than public service agencies but still have to face the auditor’s scrutiny.
The audit found “a fit-for-purpose cyber security risk-management framework” in all three corporate bodies but Australia Post had not fully implemented all of the security controls in its framework. The postal service also lagged behind the others in terms of implementing the top security controls listed in the federal government Information Security Manual, which are considered “better practice” for them but are not mandatory.
Hehir notes approvingly in his “key message to all Australia Government agencies” that these organisations adopted controls from the ISM despite not being mandated to do so.
The Top Four controls in the manual are mandatory for the public service, on the other hand, so the auditor-general looks for 100% compliance in non-corporate Commonwealth bodies and often finds them falling short.
Hehir thinks stronger compliance oversight would be good for the public service; in this report he again observes that past audits have found only four of 14 non-corporate entities, or 29%, were compliant at the time he audited them. In self-reporting, about 60% of those agencies claim to have implemented the Top Four.
The new report found the central bank and the naval shipbuilder both rated highly in comparison to other entities that have been audited for cyber resilience in the past, while Australia Post was at a similar level to a lot of public service departments.
“The Reserve Bank and ASC are cyber resilient, with high levels of resilience compared to 15 other entities audited over the past five years. Australia Post is not cyber resilient but is internally resilient, which is similar to many of the previously audited entities. The Reserve Bank has a strong cyber resilience culture, ASC is developing this culture, and Australia Post is working towards embedding a cyber resilience culture within its organisation.”
The Top Four plus the next best four controls in the ISM make up the “Essential Eight” which is highly recommended by the Australian Signals Directorate, but not mandatory for any agency.
“The Reserve Bank and ASC have implemented controls in line with the requirements of the Information Security Manual, including the Top Four and other mitigation strategies in the Essential Eight. Australia Post has not fully implemented controls in line with either the Top Four or the four non-mandatory strategies in the Essential Eight.”
In April, the government confirmed it would not mandate the full “Essential Eight” after taking 18 months to respond to a series of recommendations to improve cyber security from the Joint Committee of Public Accounts and Audit, which were based on inquiries into the auditor-general’s previous cyber-resilience audits. The odd logic was they would only consider mandating them after cyber maturity improved across the Commonwealth.
The latest report from the Australian National Audit Office notes it follows the “ongoing low levels of cyber resilience of non-corporate Commonwealth entities” recorded in previous reports, as well as weaknesses in the compliance framework for mandatory cyber security strategies.
- Have entities managed cyber security risks in line with their own risk arrangements?
- Have entities managed cyber security risks in line with key aspects of the Information Security Manual?
- Do entities have a culture of cyber security resilience?
According to the report, ASC and the Reserve Bank have met the requirements of their respective frameworks by implementing the specified information and communications technology (ICT) controls that support desktop computers, ICT servers and systems.
The auditor made one recommendation just for Australia Post: it should conduct risk assessments for critical assets and take “immediate action to address any identified extreme risks to those assets and supporting networks and databases” if it finds them.
The audit also includes three points for all government agencies to keep in mind: