Agencies get poor marks in security audit
None of three Australian Government departments audited by the Australian National Audit Office have achieved full compliance with the Essential Eight cybersecurity measures.
The audit of Treasury, the National Archives of Australia and Geoscience Australia found that only the first of these have even achieved compliance with the mandatory Top Four of these measures.
The top four mitigation strategies, developed by the Australian Signals Directorate, involve requiring application whitelisting on desktops and servers, maintaining sound patching policies and procedures for both applications and operating systems, and effectively managing access provisions for privileged user accounts.
As the only department examined to be compliant with these strategies, only Treasury was deemed to be cyber resilient.
The National Archives only complied with the requirements on application patching and privileged user access, but due to sound general ICT controls was deemed to be internally resilient.
Geoscience Australia had none of the controls in place but was working to achieve compliance with all but the application whitelisting requirement. The agency was nevertheless deemed to be vulnerable to attack.
Each of the agencies had also implemented just one of the remaining non-mandatory Essential Eight strategies — the daily backup of important data. Each had made limited progress in implementing the other three strategies — disabling untrusted Microsoft Office macros, user application hardening and implementing multifactor authentication.
Geoscience Australia and the National Archives have both agreed to the Auditor-General’s recommendation that they establish a plan and time frame to achieve compliance with the Top Four mitigation strategies.
The audit has also recommended that the Attorney-General’s Department, Department of Home Affairs and Australian Signals Directorate work together to improve compliance with the Essential Eight strategies.
Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.
Building secure AI: a critical guardrail for Australian policymakers
While AI has the potential to significantly enhance Australia's national security, economic...
Building security-centric AI: why it is key to the government's AI ambitions
As government agencies test the waters of AI, public sector leaders must consider how they can...
State government agencies still struggling with securing user access
Audit reports have shown that Australian government agencies in four states experience challenges...
