​Department of Health wants to up security posture to Commonwealth standard

The Australian government department wants a solution to support its move towards compliance with the Essential Eight Security Controls.

The Department of Health is seeking help with Australian government security compliance, publishing a request for tender (RFT) for a privileged access management (PAM) solution.

The solution, the department said, is required to support Health's "move towards compliance with the Essential Eight Security Controls".

"Ultimately, the solution will increase the risk posture for the department and safe guarding its people and information from potential threats related to privileged accounts," the RFT explains.

The Australian Signals Directorate (ASD) published its Essential Eight strategies to mitigate cybersecurity incidents in February 2017 as an update to its Top Four mitigation strategies that were published initially in 2011 and made mandatory by the Australian government in 2013.

The Joint Committee of Public Accounts and Audit last year recommended the Essential Eight be mandated by June 2018 in a bid to "save organisations considerable time, money, effort, and reputational damage compared to cleaning up after a compromise".

The Australian National Audit Office currently uses the Top Four mitigation strategies when auditing the security posture of government entities, and found out earlier this year that only four out of 14 government entities were compliant with the five-year-old requirement.

The department specifically wants the new solution to reduce the risks associated with privileged accounts on its network by providing the monitoring, controlling, responding, and auditing capabilities of privileged accounts.

The Department of Health has approximately 6,500 standard user accounts, 150 of which are classed as privileged. Its environment consists of: A total of 1,700 servers comprised of 900 Windows, 500 RHEL, and 100 Unix installations; 500 network devices including routers, switches, firewalls, load balancers, WAP, and WAN accelerators; 20 domains; and a combination of Microsoft Azure/Office 365 and Amazon Web Services (AWS) cloud-based environments.

The solution tendered for must be able to manage accounts across Google cloud and IBM Blue Mix, in addition to Azure and AWS.

Currently, the Department of Health uses a level 3 Delegated Security Model (DSM) for privileged account management, a Cherwell service management tool, and employs Splunk for centralised logging, security incidents, and event management.

With its new solution, the department wants licensing for 100 privileged accounts. It also wants the adopted solution to integrate to Splunk and Cherwell, as well as the 50-odd existing admin and privileged account users from those services.

"The solution must have the ability to proxy privileged access to multiple ICT resources (including applications, services, servers, or network appliances), on premises and in the cloud, in multiple forests, domains, and stand-alone instances," the RFT explains.

The Department of Health also wants three years of support as standard with the new software.

Submissions close December 11, 2018, with the department eying off January 16, 2019, as the commencement date for the chosen solution.

READ ALSO

My Health Record remains opt-out as Senate passes privacy amendments

The Australian government's version of improved health data privacy controls will be implemented after only minimal Senate debate.

Block adverts, delete Flash, kill Java: ASD

The Australian Signals Directorate's award-winning Top Four cyber threat mitigation strategy has become the Essential Eight. They're based on data, they're essential, and they'll upset vendors.

ASD and ACSC looking beyond list compliance approach to security

The National Audit Office can make adverse findings against departments, but ASD head Mike Burgess is satisfied agencies are taking security seriously.

T-Mobile data breach shows importance of securing internal tools (TechRepublic)

A flaw in T-Mobile's website allowing anyone to access customer data highlights the need for internal audits and authentication.

ASD calls on government chief executives to up their cybersecurity game

The Australian Signals Directorate's newly minted director has rejected the idea of a cybersecurity skills shortage, highlighting rather there's a need to ensure the people at the top of government departments are aware of the threats they face.