Best of 2020: Agencies score poor marks again in security audit

Australian government agencies are still showing very poor levels of compliance with the Australian Signal Directorate’s (ASD) Essential Eight threat mitigation strategies, according to the the latest report from the Australian National Audit Office (ANAO).

The ANAO said its performance audits since 2013 have continued to find low levels of compliance with the mandatory requirement to implement the strategies, with only little improvement each year.

The office said there is “no evidence that the regulatory framework has driven sufficient improvement in entities mitigating their cybersecurity risks since 2013”.

This financial year, the ANAO evaluated the annual self-assessments of 18 agencies’ compliance with the policy as part of its assurance audit program of financial statements.

It found that despite the ASD’s Australian Cyber Security Centre’s Cyber Uplift program, only one of the 18 entities assessed was ranked as achieving a managing maturity level across all eight controls, and none of the eight controls had even close to full compliance across all agencies.

Of the remaining 17 agencies, only one was compliant with multifactor authentication requirements. There were also low levels of compliance with requirements for patching operating systems (three of 18), patching applications (three of 18) and application whitelisting (four of 18).

In addition, only six agencies were compliant with requirements to conduct daily backups and only 10 were restricting administrative privileges.

Across all agencies, 76% of controls were at only an ad hoc or developing maturity level. The audit concluded that all agencies bar one were significantly below the requirements to adopt the Essential Eight strategies.

A number of agencies blamed complexities in their existing IT systems for their failure to comply with the policy.

The onset of the COVID-19 pandemic only worsened the situation, with the ANAO noting that the requirement to rapidly adopt working-from-home arrangements brought additional security risk for government entities.

“While entities’ compliance with Essential Eight remains low, there continues to be the risk of compromise to information relevant to the preparation of financial statements,” the report states.

The audit found a total of 36 weaknesses in agencies’ IT control environments, with the main areas being lax management of user accounts and monitoring of privileged users.

Findings related to IT control environments in fact represent 50% of total findings identified during the audit, which covered seven broad categories. IT security findings accounted for 77%, or 28 of these findings.

Four of these weaknesses were classed as moderate on the severity scale, with the remainder considered minor. Of the four, three were still not resolved since last year’s audit.

Issues uncovered related to areas including user access management, logging of privileged user activity, password configuration, the deletion of inactive privileged accounts, and the overall user access governance and assurance framework.

The remaining audit findings from the IT controls category related to lax IT change management practices (one moderate, six minor), as well as disaster recovery arrangements (three minor).

Image credit: ©stock.adobe.com/au/immimagery

This article was first published on 15 June 2020