ATO claims cyber compliance with ASD Top 4 strategies since November

The tax office is working towards the Essential 8, as well as bumping up its security governance of suppliers.
Written by Chris Duckett, Contributor

The Australian Taxation Office (ATO) has stated it has been compliant with the Australian Signals Directorate (ASD) Top 4 mitigated strategies since November last year.

According to executive minutes released on Friday, the ATO has improved its governance framework and strengthened its contracts with its suppliers to ensure compliance with the cyber guidelines, has refreshed its cybersecurity strategy, and has a program of work to make its systems more resilient.

The tax office said an independent review will occur to verify its compliance with the Top 4, and that it is working towards meeting the ASD's Essential 8 criteria.

Alongside the then-Department of Immigration and Border Protection, the ATO was called out by the Australian National Audit Office (ANAO) in March last year for having insufficient protection against external threats.

"The Australian Taxation Office's and the Department of Immigration and Border Protection's self-assessments both reported compliance against three of the Top 4 mitigation strategies," the ANAO report said.

"The ANAO assessed that the Australian Taxation Office and the Department of Immigration and Border Protection complied with only two and one of the Top 4 mandatory strategies, respectively."

In response to report, the ATO said it would become compliant in 2017.

A subsequent ANAO report in November found the ATO did not effectively track the costs and savings involved with the agency-wide transformation.

"The ATO needs to ensure greater conformance to processes for estimating and monitoring project costs, savings, and benefits, to provide transparency about the net benefits of programs and support decisions about the commencement, continuation, resourcing, and direction of projects," the ANAO said at the time.

Also read: Infosec checklists becoming common, but they're not magic

An ANAO report in February highlighted the ATO lacking service level provisions in some of its supplier contracts, particularly with Amazon Web Services.

"This contract exposes the ATO to contractual and operational risks in the absence of measurable service levels," ANAO wrote at the time.

At a March hearing, the ATO backed its in-house approach to cybersecurity.

Speaking last week to Senate Estimates, freshly minted ASD director-general Mike Burgess said taking a checklist approach to security is not always a good approach.

"Compliance with a list is not by itself good security," Burgess said. "There is no doubt [ANAO's] findings are their findings, but from that you should not necessarily draw that the heads of those departments, the agency heads, are not taking their responsibilities seriously, and they do work hard to identify and manage their security risks."

According to the ASD chief, the existence of legacy IT systems is hampering some agencies from implementing the mandated Top 4 Mitigation Strategies issued by the Signals Directorate.

"If you can't implement that because your IT systems are old and in need of investment, you can still manage that risk effectively by having other security controls in place that help you identify a problem," he said. "Anti-virus software is one such example of that, that enables you to effectively mitigate that risk whilst you can't technically implement application whitelisting at that point in time."

The Top 4 was extended into the Essential 8 in February 2017, with calls to make the additional four steps mandatory in October.

Related Coverage

Editorial standards