The cyber resilience of the Australian Taxation Office (ATO), Department of Human Services and Department of Immigration and Border Protection is set to be scrutinised as part of a joint committee inquiry.
The Joint Committee of Public Accounts and Audit today announced it had launched an inquiry, based on the Australian National Audit Office’s (ANAO) Cybersecurity Follow-up Audit of the agencies, published last month.
That follow-up audit reassessed the three agency’s IT security posture and each body’s compliance with the 'Top Four' mandatory strategies set by the Australian Signals Directorate (ASD).
The ANAO’s report found all three of the agencies had improved their cyber resilience since the 2014 audit; however, only the Department of Human Services was considered “cyber resilient”.
“The ATO and the Department of Immigration and Border Protection had security controls that provided a reasonable level of protection from breaches and unauthorised disclosures of information from internal sources,” the audit concluded.
“However, there was insufficient protection against cyber attacks from external sources. As a result, they remain in the ‘internally resilient’ zone.”
The agencies were found to have varying compliance with the ASD’s Top Four cyber mitigation strategies: Whitelisting, application patching, OS patching, and the restriction of administration privileges based on user duties.
The Department of Immigration and Border Protection was found to have deviated from its application whitelisting strategy and the ATO had only recently developed one.
As well as shortcomings regarding operating systems patching, all three entities were advised that there was room for improvement to manage privileged user access more effectively. The ATO and Department of Immigration and Border Protection were both found to have overestimated their security compliance in a self-assessment.
In February, the ASD — which is tasked with proving whole-of-government security guidance — updated its list to include four more mitigation strategies, together dubbed the ‘Essential Eight’.
“Cybersecurity is integral to protect Government systems and secure the continued delivery of Government business. Government entities are required to implement mitigation strategies to reduce the risk of cyber intrusions,” said joint committee chair Senator Dean Smith.
“The committee is continuing its oversight of entities’ compliance with the mandated strategies with the launch of this inquiry.”Smith added that as parliament’s joint public administration committee, his committee had an important role in holding Commonwealth agencies to account.