ANAO calls out low self-assessments of Commonwealth cyber compliance

With multiple cyber checklists to test against, Australian government agencies have a strike rate little better than a coin toss.
Written by Chris Duckett, Contributor

The Australian National Audit Office (ANAO) has completed another round of cyber compliance testing, finding Treasury was compliant with the Australian Signals Directorate (ASD) Top 4 mitigated strategies, while the National Archives and Geoscience Australia was lacking.

ANAO said it has now found only four government entities compliant with the Top 4 requirement that was made mandatory in April 2013, from the 14 organisations it has examined.

In early 2017, the Top 4 was expanded to the Essential Eight, with ANAO finding all three agencies in this round were only compliant with one of the expanded requirements.

"These findings provide further evidence that the implementation of the current framework is not achieving compliance with cyber security requirements, and needs to be strengthened," ANAO said.

With guides to cyber compliance being provided by the Attorney-General's Department (AGD) in the form of the Protective Security Policy Framework (PSPF) and by ASD with the Essential Eight Maturity Model (EEMM), ANAO was at pains to point out the conflicting requirements.

"There are shortcomings in the Essential Eight Maturity Model that limits its usefulness in its current form, and could lead to entities inadvertently overstating their cybersecurity compliance if it is used in performing the self-assessment," ANAO said.

As an example, ANAO said it would be possible to score highly on application whitelisting in the EEMM yet only comply with one requirement under the same category in the PSPF.

"Given the multiple instruments in assessing the effectiveness of ICT security controls, there is likely to be uncertainty for entities in deciding whether to adopt: a controls-based assessment by using the Information Security Manual; or the simpler Essential Eight Maturity Model, which may not provide the required level of assurance," ANAO said.

ANAO recommended that AGD, ASD, and the Department of Home Affairs provide "adequate technical guidance" to allow for accurate self-assessment, create a way to verify reported compliance, and increase transparency and accountability around cyber compliance.

Of the trio of organisations that ANAO assessed between late 2017 and early 2018, the audit office said they were focused on "short-term operational needs rather than long-term strategic objectives".

Related Coverage

Head in three clouds: ANAO finds ATO contracts missing service commitments

After eight reports into the outages experienced by the ATO over the past 18 months, ANAO has delivered the findings of its investigation, recommending the taxation office to reassess its service commitments with three cloud vendors.

Tight deadlines lead AEC to ditch security compliance: ANAO

A 12-week turnaround before a double dissolution election with a new method to allocate preferences, forced the AEC to accept an increased level of risk. Thanks Malcolm.

Telstra USO contract does 'not reflect value for money': ANAO

The government should improve value for money principles and the standards by which it measures Telstra's performance under the USO, according to a report by the Australian audit office.

Plan for privacy and security absent from national cancer-screening database: ANAO

The ANAO concluded that no official documentation has been found that outlines how Telstra would manage the privacy and security of the national cancer screening register.

The 5 most in-demand cybersecurity roles in the age of GDPR (TechRepublic)

Cybersecurity job openings continue to grow as more businesses fall victim to massive cyberattacks, according to Indeed.

Editorial standards