ANAO finds two government departments inaccurately self-reported cyber compliance

The Audit Office report shows the Attorney-General's Department and Department of the Prime Minister and Cabinet did not accurately self-report full implementation of one or more Top Four mitigation strategies.

The Australian National Audit Office (ANAO) has published its findings of an investigation into the effectiveness of cybersecurity risk mitigation strategies implemented by seven government entities, declaring none have fully implemented all the mandatory benchmarks.

The Attorney-General's Department (AGD); Australian Trade and Investment Commission (Austrade); Department of Education, Skills, and Employment; Future Fund Management Agency; Department of Health; IP Australia; and Department of the Prime Minister and Cabinet (PM&C) were all under the microscope.

The Australian Signals Directorate (ASD) and Department of Home Affairs (DHA) were also probed by ANAO, but they were not included in this assessment. Instead, they were examined only in their roles as cyber policy and operational entities.

Since 2013, non-corporate Commonwealth entities have been required to undertake an annual self-assessment against the Top Four strategies, which are mandated by the AGD's Protective Security Policy Framework (PSPF). Entities report their overall compliance with mandatory requirements to AGD.

The Top Four are: Properly implementing application whitelisting, patching applications, patching operating systems, and restricting administrative privileges.

In addition to none of the seven entities implementing all of the mandatory Top Four mitigation strategies, ANAO found that of the three entities that had self-assessed full implementation for one or more of the mitigation strategies in their 2018-19 PSPF assessment, PM&C and AGD had not done so accurately.

PM&C assessed itself as having fully implemented all the mandatory Top Four mitigation strategies in its 2018-19 PSPF self-assessment.

PM&C was assessed by ANAO as fully implementing the requirements for application control, for patching applications, and for patching operating systems. However, ANAO assessed that PM&C only partially implemented the requirements for restricting administrative privileges.

"While PM&C has a process for validating privileged access on an annual basis, it does not sufficiently ensure that privileged access is restricted to personnel that require it to undertake their duties," the report declared. 

"Weaknesses in PM&C's validation processes increases the risk that a cyber intrusion could result in an adversary acquiring privileged access to its systems and subsequently change and bypass other security measures to compromise the system."

In its 2018-19 PSPF self-assessment, AGD reported that it had fully implemented two of the Top Four: Patching operating systems and restricting administrative privileges.

ANAO assessed that AGD has "substantially" implemented the requirements for patching operating systems but further improvements needed to be made to reach full implementation. ANAO was happy with AGD's assessment that it has fully implemented the requirements for restricting administrative privileges, however.

The Future Fund Management Agency escaped ANAO's wrath for accurately self-assessing the two Top Four mitigation strategies for which it reported full implementation.

"Future Fund has not fully implemented all of the Top Four mitigation strategies, but is internally resilient as it has effective controls in place to support its ability to detect and recover from a cybersecurity incident," ANAO said.

The report also showed five of six selected entities that had self-assessed to have not fully implemented any of the Top Four mitigation strategies have established strategies and implemented activities to manage their cyber risks and to progress toward a "Managing" maturity level for PSPF Policy.

The five entities have also included the implementation of the remaining four strategies that comprise the Essential Eight in their cybersecurity improvement programs.

See also: ASD Essential Eight cybersecurity controls not essential: Canberra

Austrade and the Department of Education were additionally asked by ANAO to set a timeframe to improve their respective cybersecurity maturity.

AGD and DHA are the key regulatory entities where cybersecurity is concerned. The AGD is responsible for setting government protective security policy guidance, including for information security, through the PSPF. ASD, meanwhile, developed the Top Four mitigation strategies.

ANAO said all three "could do more to improve support for the implementation of cybersecurity requirements".

Making five recommendations, ANAO has asked AGD to ensure the maturity levels under the PSPF maturity assessment model are fit-for purpose and effectively align with the maturity levels under ASD's Essential Eight Maturity Model. In addition, it has sought for AGD to provide additional clarity on the PSPF supporting guidance and implement measures to obtain assurance on the accuracy of entities' PSPF self-assessments, while asking for ASD to provide assistance to AGD to support its assurance processes.

ANAO's final recommendation was that the Australian government strengthen arrangements to hold entities to account for the implementation of mandatory cybersecurity requirements.

Such lack of accountability has been the subject of many parliamentary inquiries, with the Joint Committee of Public Accounts and Audit, as one example, highlighting there is no mechanism that allows the individual performance of Commonwealth entities to be probed.

ANAO also said in the period July 2019 to June 2020, there were 436 cybersecurity incidents reported to the Australian Cyber Security Centre by Australian government entities.

RELATED COVERAGE