Audit finds Australia Post not effectively managing cyber risks

The government-owned entity that wants to build Australia's national identity system and conduct voting via blockchain has been called out by the Audit Office for not being 'cyber resilient'.
Written by Asha Barbaschow, Contributor
Image: Asha Barbaschow/ZDNet

The Australian National Audit Office (ANAO) has labelled Australia Post as not effectively managing cybersecurity risks, with a report highlighting weaknesses in the postal service's implementation of its risk management framework.

In the Auditor-General's Performance Audit Cyber Resilience of Government Business Enterprise and Corporate Commonwealth Entities [PDF], ANAO recommended Australia Post continue to implement its cybersecurity improvement program and key controls across all its critical assets to enable cyber risks to be within its tolerance level.

While ANAO said Australia Post has a fit for purpose cybersecurity risk management framework, it said it falls short of actually meeting the requirements, having not implemented all specified key controls.

"Australia Post has not fully implemented controls in line with either the Top Four or the four non-mandatory strategies in the Essential Eight," ANAO wrote.

The Essential Eight -- a government-mandated extension of the Top Four mitigation strategies -- was expanded in early 2017. It covers application whitelisting, asks entities to patch applications and operating systems, disable Office macros, strengthen user applications, restrict administrative privileges, set up multi-factor authentication, and conduct daily backups.

Read also: ASD Essential Eight cybersecurity controls not essential: Canberra

Australia Post has implemented two of the Top Four mitigation strategies -- patching IT applications and minimising privileged user access. Where the Essential Eight is concerned, Australia Post has implemented controls for only one -- daily backups of data.

"While having embedded eight of the 13 assessed behaviours and practices, Australia Post has not systematically managed cyber risks, including not assessing the effectiveness of controls applied outside its specified cybersecurity risk management framework," the report said.

ANAO said that while Australia Post is not cyber resilient, it is internally resilient, noting this was similar to many of the previously audited entities. ANAO said Australia Post is working towards embedding a "cyber resilience culture" within its organisation.

"Australia Post has not met the requirements for ICT controls in its framework, having not implemented all specified key controls, and as a result has rated the overall cyber risk as significantly above its defined tolerance level," ANAO continued.

See also: Australia Post wants more of your data than it already has

The 210 year-old postal service incorporates aspects of the following frameworks: the Australian Government Information Security Manual; National Institute of Standards and Technology (NIST) Cybersecurity Framework; ISO/IEC 27002 Information technology -- Security techniques -- Code of practice for information security controls; and Payment Card Industry Data Security Standard.

Also under the microscope in this audit was the Reserve Bank of Australia (RBA) and ASC Pty Ltd, an Australian government business involved with naval shipbuilding.

ANAO found that both the RBA and ASC effectively managed cybersecurity risks, and that both have implemented controls in line with the requirements of the Information Security Manual, including the Top Four and other mitigation strategies in the Essential Eight.

In calling the cybersecurity risk management frameworks in place at both ASC and the RBA fit for purpose, the report said the two organisations have met the requirements of their respective frameworks by implementing the specified IT controls that support desktop computers, IT servers, and systems.

The Reserve Bank and ASC are cyber resilient, ANAO said, with high levels of resilience compared to 15 other entities audited over the past five years. Specifically, the RBA has a strong cyber resilience culture while ASC is developing its culture.

Both have met the requirements for implementing IT controls contained in their cybersecurity risk management framework, and both have also implemented controls in line with the requirements for the Top Four.

ANAO said the RBA has gone further, implementing mitigation strategies beyond the requirements of the Essential Eight, such as using machine learning and analytics to detect cyber threats.

"The Reserve Bank has a strong cyber resilience culture, having established all 13 assessed behaviours and practices in the areas of cybersecurity governance and risk management, roles and responsibilities, technical support, and monitoring compliance," the report said.

"ASC is developing a cyber resilience culture, having embedded seven of the assessed behaviours and practices and working to more fully establish the other six cybersecurity behaviours and practices within its business processes."

ANAO said it selected the three entities for audit based on the character and sensitivity of the information collected, stored, and reported by each, including that the entities manage critical infrastructure or systems of national interest.

"Despite the importance of cybersecurity in safeguarding the Australian government's digital information, there has been ongoing low levels of cyber resilience of non-corporate Commonwealth entities and weaknesses in the regulatory framework for ensuring compliance with mandatory cybersecurity strategies," ANAO added.

Since 2013-14 when the Information Security Manual became mandatory policy for non-corporate Commonwealth entities, the Auditor-General has tabled four performance audits that assessed the cybersecurity resilience of 14 such entities.

It said the audits identified that only four entities -- 29% -- had complied with mandatory government requirements for information security, and that the regulatory framework had not driven sufficient improvement in cybersecurity.

In a previous ANAO audit on cyber resilience, Geoscience Australia was labelled as lacking where the Top Four mitigation strategies were concerned.

Following the ANAO probe, Geoscience Australia agreed to up its security posture, telling the Joint Committee of Public Accounts and Audit in March that it would be compliant with the Top Four come 30 June.

Its CEO Dr James Johnson admitted that cybersecurity was not previously a priority for the government agency.

As reported by ZDNet in February, in a bid to fix its culture, Geoscience Australia has been immersing its staff in the world of government-owned enterprise through learning from others that are "leading" the way.

Leading the way, Geoscience Australia director of scientific computing Ole Nielson explained, is Australia Post.

"We ended up sending four staff down to Melbourne to go work for Australia Post for 100 days to learn their culture internally and flew another 30 or 40 people down on day trips to see how they worked with continuous delivery and cloud engineering," Nielson told the Public Sector Digital Transformation & Optimisation conference in Canberra. "And they became the nucleus of a new cloud capability that has since then grown."


Editorial standards