Committee recommends mandating ASD's 'Essential Eight' mitigation strategies

The Joint Committee of Public Accounts and Audit wants the government to include the additional four steps in its list of mandatory infosec strategies.

The Joint Committee of Public Accounts and Audit (JCPAA) has recommended the Australian government mandate the Australian Signals Directorate's (ASD) Essential Eight cybersecurity strategies by June 2018 in a bid to "save organisations considerable time, money, effort, and reputational damage compared to cleaning up after a compromise".

The February launch of the Essential Eight saw the agency update its Top Four mitigation strategies that were published initially in 2011 and made mandatory by the Australian government in 2013.

In its report, Cybersecurity Compliance Inquiry based on Auditor-General's report 42 (2016-17), JCPAA highlighted that the ASD believes the Essential Eight are so effective it "considers them to be the cybersecurity baseline for all organisations".

The recommendation is one of 10 made by the committee in its report [PDF] which also includes further action from the Attorney-General's Department (AGD) on cybersecurity matters.

One such recommendation is that the Auditor-General considers conducting an audit of the effectiveness of the self-assessment and reporting regime under the Protective Security Policy Framework, which was developed to assist Australian government entities in protecting their people, information, and assets, at home and overseas.

Similarly, the committee wants the AGD, alongside the ASD, to report annually on the Commonwealth's cybersecurity posture to the Parliament, such as through the Parliamentary Joint Committee on Intelligence and Security.

"As a strategic priority, it is crucial that Commonwealth entities be accountable to the Australian Parliament on cybersecurity," the report says.

It also wants completion of the ASD survey -- sent annually to all government entities to identify high-risk entities and offer assistance -- to be mandatory for all entities covered under the Public Governance, Performance and Accountability Act 2013.

"In recent years, the non-mandatory survey has only been completed by 30-40 percent of entities. The Committee considers that the ASD survey serves an important role in assisting entities to be cyber resilient," the JCPAA wrote.

Another three recommendations single out the Australian Taxation Office (ATO) and the Department of Immigration and Border Protection (DIBP), with the first asking the departments to report back to the committee on their progress of achieving full compliance with ASD's Top Four mitigation strategies by June 2018, including advice as to barriers and timelines to complete outstanding actions.

The committee believes that if the four current strategies are implemented, 85 percent of targeted cyber intrusions would be prevented.

Of concern to the JCPAA is that in 2015-16, only 65 percent of non-corporate Commonwealth entities reported compliance with the mitigation strategies.

"This is despite the fact that the Top Four mitigation strategies represent the minimum requirement for entities," the report explains.

The ATO and DIBP were called out by the Australian National Audit Office (ANAO) as lacking on the cybersecurity front back in March.

While capable of handling internal threats, the ANAO said the ATO and DIBP had "insufficient protection" against external threats, even though both agencies had previously said they would be compliant come 2016.

The ANAO report probed a total of seven agencies and flagged only the Department of Human Services as having effectively implemented application whitelisting.

The ANAO probe also formed the basis for the Joint Committee's investigation.

The JCPAA has also asked both the ATO and DIBP to report back to the committee on their progress in implementing the recommendations made by ANAO in its report, including again advice as to barriers and timelines to complete outstanding actions.

The committee said the ATO expects to be fully compliant by 2017, while DIBP could not provide a date for when it expects compliance to be reached. DIBP is soon to be morphed into the Department of Home Affairs, which will be overseen by Peter Dutton.

"The committee notes that the ATO and DIBP are working to improve their governance arrangements and organisational culture," the report says. "Given the risks which have been identified as to the likely effects of either organisation experiencing loss of data as a consequence of not being cyber resilient, this must be a priority."

The committee requests future cybersecurity compliance audits include an outline on the behaviours and practices it would expect in a cyber resilient entity.

The two remaining recommendations made by the committee are in regards to the Internet Gateway Reduction Program, which was initially designed to reduce the number of internet gateways within government.

The committee recommends the Australian government makes the program mandatory for all entities that fall under the Public Governance, Performance and Accountability Act.

It also wants the Digital Transformation Agency (DTA) to report back to the committee on its review of the program, specifically with a progress report on the review by December 2017, and by April 2018, outcomes of the review and associated key actions and corresponding timelines.

PREVIOUS AND RELATED COVERAGE

Review asks for tighter Medicare card privacy controls from Human Services

Moving the authentication platform, educating citizens, and stricter privacy controls were among the steps recommended to the Department of Human Services by a review into heath providers' access to the Health Professional Online Services system.

Secret F-35, P-8, C-130 data stolen in Australian defence contractor hack

Around 30 gigabytes of ITAR-restricted aerospace and commercial data was exfiltrated by an unknown malicious actor during the "Alf's Mystery Happy Fun Time" attack.

OAIC received 114 voluntary data breach notifications in 2016-17

The office led by Information and Privacy Commissioner Timothy Pilgrim received 114 voluntary data breach notifications, 35 mandatory digital health data notifications, and 2,494 privacy-related complaints during the 12-month period.