The Department of Health is seeking software to help it manage privileged user accounts as it strives to comply with one of the mandatory security requirements for Commonwealth entities.
The department has issued a request for tender for privileged access management (PAM) software which it said will help its “move towards compliance with the Essential Eight Security Controls”.
“Ultimately, the solution will increase the risk posture for the department and safe guarding its people and information from potential threats related to privileged accounts,” the department said.
The ‘Essential Eight’ is a list of high priority security mitigation strategies drawn up by the Australian Signals Directorate. The ASD published the Essential Eight in 2017, building on the agency’s mandatory Top 4 mitigation strategies.
Restricting administrative privileges based on user duties is part of the original Top 4 list — implementation of which has (in theory) been mandatory for Commonwealth agencies since a 2013 update to the Protective Security Policy Framework.
The department said it is seeking software (or a service) that supports integration with Splunk, which the department uses as a security incident and event management tool, and Cherwell’s IT service management platform.
The department has around 6500 standard user accounts and 150 privileged user accounts. Its IT environment is primarily a mix of Windows (around 900 servers) and Red Hat Enterprise Linux (500 servers), as well as and 100 Unix-based appliances and 500 network devices.
It also uses cloud services, and it is seeking software that supports Microsoft Azure, Amazon Web Services, Google Cloud and IBM Blue Mix.
The department indicated it hopes to roll out a solution in early 2019.
In addition to restricting admin privileges, the ASD’s Top 4 comprises application whitelisting, application patching and OS patching. The Essential Eight are rounded out by configuring Microsoft Office macros, user application hardening, deploying multi-factor authentication, and daily backup of important data.
Last year parliament’s Joint Committee of Public Accounts and Audit released a report calling for the Essential Eight to be made mandatory for Commonwealth departments and agencies.
In June 2018, the Australian National Audit Office (ANAO) released the results its fourth audit of government entities’ cyber resilience. The ANAO found that out of the three entities it scrutinised, only the Treasury had implemented the Top 4 — with the National Archives and Geoscience Australia falling short.