Updated 26 March 2021.
A report released by the Australian National Audit Office (ANAO) last week has revealed that the implementation of cyber security risk mitigation strategies by non-corporate Commonwealth entities falls short of mandatory requirements for effectively safeguarding information from cyber threats.
The audit was conducted in response to growing concerns surrounding the increasing “frequency, scale and sophistication of malicious cyber activity” threatening Australia’s social, economic and national security as well as the privacy of its citizens.
In particular, the ANAO notes that “cyber threats are considered to be an increasing risk across Australian Government entities.”
Despite this fact, findings from previous ANAO audits have consistently identified “low levels of compliance [by Government entities] with mandatory cyber security requirements under the Protective Security Policy Framework (PSPF).”
In response to such concerns, the latest Cyber Security Strategies of Non-Corporate Commonwealth Entities audit assessed a group of non-corporate Commonwealth entities for their implementation of these requirements, primarily the Top Four cyber security risk mitigation strategies as outlined by the PSPF.
The audit also aimed to assess the support provided by the Attorney-General’s Department (AGD), the Australian Signals Directorate (ASD) and the Department of Home Affairs (DHA) towards the implementation of cyber security requirements by non-corporate Commonwealth entities, and towards accurate self-assessment and reporting by those assessed entities (which do not include ASD or DHA).
“The implementation of cyber security risk mitigation strategies by the selected entities was not fully effective, and did not fully meet the mandatory requirements of PSPF Policy 10,” the report concluded. “Additional ongoing work will be required to assist entities in achieving a more mature and resilient cyber security posture.”
The ANAO report made a number of recommendations to accomplish this, including: stronger validation of ‘privileged user access’ by the Department of the Prime Minister and Cabinet, as well as better risk assessments of security events; better documentation processes within AGD; better support for the AGD from ASD; and greater power for the government to hold entities to account for implementing mandatory cyber security requirements.
Editor's Note: An earlier version of this article contained an implication that ASD and DHA were assessed against the PSPF. This was incorrect and has been amended.