Commonwealth Parliament’s Joint Committee of Public Accounts and Audit report into Cybersecurity Compliance makes for melancholy reading about the poor data security of frontline Commonwealth Departments

October 31, 2017 |

Last week the Joint Committee of Public Accounts and Audit released its long awaited report into Cybersecurity Compliance. It is a valuable report which makes clear that the Committee “gets it” as far as the need to maintain proper cyber security by agencies which are increasingly reliant on data being stored, used and disclosed online by its users.   The Committee was also frank in its assessment that key agencies are falling down in this regard.  For those practicing in this area that comes as little surprise.  There remains a poor cyber security and privacy culture in both the public and private sectors.  Part of that is due to inadequate legislation and even worse regulation.  The Privacy Commissioner has been a poor regulator and that is reflected in widespread ignorance of an entities obligations under the Privacy Act and those with awareness have little incentive to comply.

The focus of this report was the level of compliance with cyber security standards of the Australian Taxation Office (“ATO”), the Department of Immigration and Border Protection (“DIBP”) and the Department of Human Services (“DHS”) resulting from the Australian National Audit Office, Report No 42 (2016 – 17) Cyber security Follow up Audit which was published on 15 March 2017.

The genesis of the ANAO’s activities was an examination in June 2014 of 7 Government agencies, Australian Bureau of Statistics, Australian Customs and Border Protection Service, Australian Financial Security Authority, Australian Taxation Office, Department of Foreign Affairs and Trade, Department of Human Services and IP Australia to determine whether they were compliant with the the Top Four mitigation strategies set out by the Australian Government Information Security Manual.  None were compliant. The Top Four mitigation strategies are application whitelisting, patching applications, patching operating systems and minimising administrative privileges.  There was a follow up by ANAO of three of the entities, the ATO, DIBP and DHS.  The follow up found that ATO and DIBP were non compliant to varying degrees.

It is relevant to note that the Australian Government set a target date for government entities to be compliant with the Top Four Mitigation Strategies by 30 June 2014. Over 3 years ago.

The Joint Committee noted:

  • that the audit follow up found that the ATO and DIBP are still not compliant with the mandatory ‘Top Four’ mitigation strategies and are not cyber resilient (1.3) & (3.19)
  • while the ATO expects to be fully compliant with the Top Four mitigation strategies by November 2017 DIBP could not provide a date for when full compliance with all of the Top Four mitigation strategies  even though ANAO assessed that there is no impediment to implementing the Top Four mitigation strategies (1.9 – 1.10)
  • there were the discrepancies between the ATO’s and DIBP’s self-assessments and the ANAO’s assessments on cybersecurity compliance (1.14) with both entities reported compliance with three of the strategies but the ANAO finding the ATO to be compliant with two and DIBP with one of the Top Four mitigation strategies (2.47)
  • in 2015–16 only 65 per cent of non-corporate Commonwealth entities reported compliance with the Top Four mitigation strategies (1.8)
  • ANAO suggested that entities need to focus on risk planning, managed through audit committees, and advising accountable authorities on their cybersecurity posture/achievements (3.26)

In February 2017 the Top Four Mitgation Strategies were increased to the catchily named “Essential Eight”.  Given the poor compliance with 4 strategies the addition of a further 4 hardly bodes well.

I made a submission to the Committee.

It is quite a good report with valuable recommendations.  The problem in the area of cyber security is that entities say one thing but tend to put their energies into other activities which provide immediate benefit.  Cyber security only becomes important once there is an attack and especially if there is a data breach.

The recomendations are:

Recommendation 1

2.9     The Committee recommends that the Australian Taxation Office and Department of Immigration and Border Protection report back to the Committee on their progress to achieving full compliance with the Top Four mitigation strategies by June 2018, including advice as to barriers and timelines to complete outstanding actions.

Recommendation 2

2.12   The Committee recommends that the Australian Government mandate the Australian Signals Directorate’s Essential Eight cybersecurity strategies for all Public Governance, Performance and Accountability Act 2013 entities, by June 2018.

Recommendation 3

2.14   The Committee recommends that the Australian Taxation Office and Department of Immigration and Border Protection report back to the Committee on their progress in implementing ANAO Recommendation 1, including advice as to barriers and timelines to complete outstanding actions.

Recommendation 4

2.16   The Committee recommends that the Auditor-General consider conducting an audit of the effectiveness of the self-assessment and reporting regime under the Protected Security Policy Framework.

Recommendation 5

2.19   The Committee recommends that the Attorney-General’s Department and the Australian Signals Directorate report annually on the Commonwealth’s cybersecurity posture to the Parliament, such as through the Parliamentary Joint Committee on Intelligence and Security.

Recommendation 6

3.6     The Committee recommends that in future audits on cybersecurity compliance, the ANAO outline the behaviours and practices it would expect in a cyber resilient entity, and assess against these.

Recommendation 7

3.8     The Committee recommends that the Australian Taxation Office and Department of Immigration and Border Protection report back to the Committee on their progress in implementing ANAO Recommendation 2, including advice as to barriers and timelines to complete outstanding actions.

Recommendation 8

3.10   The Committee recommends that by June 2018, the Australian Government make the annual ASD survey mandatory for all Public Governance, Performance and Accountability Act 2013 entities to complete.

Recommendation 9

3.13   The Committee recommends the Australian Government make the Internet Gateway Reduction Program mandatory for all Public Governance, Performance and Accountability Act 2013 entities.

Recommendation 10

3.15   The Committee recommends that the Digital Transformation Agency report back to the Committee on the review of the Internet Gateway Reduction Program, including:

  • a progress report on the review by December 2017
  • outcomes of the review and associated key actions and corresponding timelines by April 2018.

One Response to “Commonwealth Parliament’s Joint Committee of Public Accounts and Audit report into Cybersecurity Compliance makes for melancholy reading about the poor data security of frontline Commonwealth Departments”

  1. Commonwealth Parliament’s Joint Committee of Public Accounts and Audit report into Cybersecurity Compliance makes for melancholy reading about the poor data security of frontline Commonwealth Departments | Australian Law Blogs October 31st, 2017

    […] Commonwealth Parliament’s Joint Committee of Public Accounts and Audit report into Cybersecurity C… […]

Leave a Reply





Verified by MonsterInsights