Committee rubbishes agencies' security compliance

The Joint Committee of Public Accounts and Audit has given poor marks to the government's cybersecurity compliance and resilience, and made a series of recommendations for lifting compliance.

An inquiry into cybersecurity compliance, focused on the Auditor-General's recent audit, found that the ATO and the Department of Immigration and Border Protection are still not compliant with mandatory mitigation strategies that should have been put in place by mid-2014.

In addition, only 65% of all non-corporate government entities were compliant with the Top Four recommended mitigation strategies as of 2015–16, despite these strategies being the minimum requirement for these entities.

The committee recommended that all entities achieve compliance as soon as possible, noting that there is no impediment to the implementation of these strategies.

In addition, the committee has recommended that the government mandate compliance with the Australian Signals Directorate's (ASD) Essential Eight cybersecurity strategies by June 2018.

The ASD and the Attorney-General's Department should meanwhile report annually on the government's cybersecurity posture, and the annual ASD survey should be made mandatory for eligible government entities to complete, the committee found.

Other recommendations include an audit of the effectiveness of the Protected Security Policy Framework's current self-assessment and reporting regime, as well as mandatory compliance with the Internet Gateway Reduction Program for all eligible entities.

Follow us and share on Twitter and Facebook