AusPost touts 'business-led cybersecurity risk culture' ahead of committee probe
Despite claims otherwise from the National Audit Office, the postal service said it already has clear oversight of its critical asset infrastructures and has prioritised actions under an existing program of work.
Australia Post's ability to manage cybersecurity risks is currently under the microscope, with a Joint Committee of Public Accounts and Audit probing the postal service as part of its inquiry to consider the cyber resilience of government entities prioritising information security.
In a submission [PDF] to the committee, Australia Post responded to claims made by the Australian National Audit Office (ANAO) in its audit last year, such as labelling the government-owned entity as not effectively managing cybersecurity risk, highlighting weaknesses in the implementation of its risk management framework.
Australia Post said ANAO's report made one recommendation relevant to Australia Post, that it conduct risk assessments for all of its critical assets where it has not already done so and to take immediate action to address any identified extreme risks to those assets and supporting networks and databases.
"Australia Post agreed with the recommendation, whilst at the same time noting Australia Post had clear oversight of its critical asset infrastructures and had prioritised actions under a program of work already underway to address the recommendation that involved conducting risk assessments for critical assets not yet assessed, updating assessments for those already assessed, and taking immediate action to address any concerns that are identified," it wrote in response.
"Australia Post also noted that monitoring of the implementation of this program of work would be managed through our information security risk management and compliance programs and would be reported to senior management and our board."
The postal office said it has taken, and continues to take, steps towards implementing its program and key controls, including those evidenced during the assessment and referred to in other parts of the report.
Offering examples, Australia Post said it has implemented application whitelisting controls supporting its retail and deliveries environments; provided Information Security Manual (ISM) accreditation for a number of Australia Post services; continued to progress its Cyber Security Resiliency project, which has a scope focused on enhancing controls on critical systems based on likely threats; implemented faster detection and response to cyber incidents; and kicked off a deliveries security uplift project, which it said was enhancing controls on critical deliveries systems.
Since the recommendation was made, Australia Post said it has conducted a maturity level assessment against the Australian Cyber Security Centre Essential Eight Mitigation Strategies.
It said it has also conducted many assessments or at least determined what should be assessed.
"In the interests of further maturing and maintaining strong cyber resilience practices and cultures, Australia Post has since 2012 been actively working to uplift its cybersecurity maturity," its submission continued.
The postal service said it has also embedded a "business-led cybersecurity risk culture".
Tangibly, it has also touted that it has increased coverage of fundamental security controls, adapted its cybersecurity services to "fit different ways of working to enable our business to get to market with secure services faster", as well as placed security specialists within its operations.
"This strategy is supported by our Securing Tomorrow program," it wrote. "The program implements strategic capability uplift and the remediation of identified vulnerabilities which are prioritised through our understanding of the threat landscape, our business risks, current control maturity, external reviews, and industry analysis."