Over the last two years Australia Post has not undertaken detailed security risk assessments for two of its critical systems — its corporate data warehouse and eParcel applications — according to the Australian National Audit Office (ANAO).
A report by the ANAO says that Australia Post’s approach to security falls short in a number of areas Australia Post has a “fit for purpose” cyber security risk management framework; however, an ANAO audit revealed that the organisation has failed to implement many of the security controls it specifies.
“Australia Post’s cyber security framework and controls have been the focus of internal reviews, which highlighted that Australia Post had not fully implemented the security standards in its cyber security risk management framework,” states the report released today by the ANAO.
Australia Post’s “existing controls do not sufficiently mitigate the risks it has identified,” the ANAO found
One weakness identified by the audit was patch management, the ANAO said. Australia Post “remediates patches to desktops and servers, however, patch remediation only occurs for extreme and high risk patches in server environments”.
As a result, the rollout of patches has not taken place to the time frames outlined in the Information Security Manual and Australia Post’s own security framework.
A particular challenge is that a number of Australia Post systems are running older operating systems, the ANAO said.
“Australia Post is aware of the issues with its patch management and has projects in place to address them and uplift older systems to new versions,” the report states. Those projects are scheduled over the next six months, the organisation told the ANAO.
Although Australia post is not “cyber resilient” it is “internally resilient,” the ANAO concluded, reflecting “the significant volume of resources and effort Australia Post has already committed to developing its cyber resilience”. However, the report adds, “there is still work to be done to move towards, and maintain, a high level of external resilience.”
It recommended that the organisation “conducts risk assessments for all its critical assets where it has not already done so and takes immediate action to address any identified extreme risks to those assets and supporting networks and databases.”
Australia Post said it supported the recommendation.
“Australia Post has clear oversight of its critical asset infrastructures and has prioritised actions under a program of work already underway to address this recommendation,” a response to the audit from Australia Post said.
“This will involve conducting risk assessments for critical assets not yet assessed, updating assessments for those already assessed, and taking immediate action to address any concerns that are identified.”