Security shortcomings scrutinised at government agencies

Parliamentary committee recommends ongoing audits of agencies' security posture

The Australian National Audit Office should consider conducting regular audits of federal government agencies to monitor their compliance with the top security strategies recommended by the Australian Signals Directorate (ASD), according to a parliamentary report.

The Joint Committee of Public Accounts and Audit (JCPAA) today tabled its latest report on performance audits conducted by the ANAO. Among the audits considered in report 447 of the committee was the ANAO's Cyber Attacks: Securing Agencies’ ICT Systems, which the audit office published in June last year.

The audit assessed the implementation by seven agencies of the top four of 35 security strategies drawn up by the ASD and designed to prevent breaches of ICT systems.

The audit looked at the Australian Bureau of Statistics, the Australian Customs and Border Protection Service, the Australian Financial Security Authority, the Australian Taxation Office (ATO), the Department of Foreign Affairs and Trade, the Department of Human Services (DHS), and IP Australia.

The top four strategies were patching of applications and operating systems, application whitelisting, and minimising administrative privileges.

The ASD has previously estimated that the four measures should prevent some 85 per cent of targeted attempts to hack into agencies' systems.

"The agencies subject to audit had established internal information security frameworks, implemented controls designed to safeguard the enterprise ICT environment from external cyber attack, and had stipulated change management processes to authorise the implementation of security patches for applications and operating systems," the ANAO report concluded

"While these arrangements contributed to the protection of agency information, the selected agencies had not yet achieved full compliance with the top four mitigation strategies mandated by the Australian Government in 2013; a requirement reflecting heightened government expectations in response to the risk of cyber attack.

"Further, none of the selected agencies are expected to achieve full compliance by the Government’s target date of mid–2014, notwithstanding their advice regarding further initiatives which, when implemented, would strengthen ICT security controls and protection against cyber attacks."

"Over the course of the review the committee was concerned to note that of the seven agencies audited, not a single agency was found to be fully compliant with the top four mitigation strategies and related controls in the Australian Signals Directorate's Information Security Manual, and none of the agencies was expected to achieve full compliance by the mandated target of July 2014," the JCPAA's chair, Liberal MP Andrew Southcott, told the House of Representatives today.

The committee's report recommended that the seven agencies work to achieve full compliance with the four intrusion mitigation strategies set out by the ASD, with "each producing a clear and detailed plan of necessary activities, including a definitive date of compliance".

"[A]gencies that do not expect to achieve full compliance before August 2015 should notify the Committee – the Committee may then seek an explanation of why full compliance is not expected to be achieved, as well as the mitigation strategies the agency has put in place," the report states.

Customs last year told the committee that the agency is "in a better position" compared to when it was audited. The ATO said it expected to have implemented application whitelisting by the end of 2014 and to have implemented patching and restricted administrative privileges by the middle of this calendar year.

"Human Services have committed to complete the whitelisting," DHS CIO Gary Sterrenberg told the committee in October.

"We are compliant on the desktops but we have some technical difficulties with the Unix Solaris service…we have committed to do the access control by 2015 and the patching by 2016."

The report recommends the ANAO conducts regular audits of government agencies' compliance with the "the top four mitigation strategies and related controls in the Information Security Manual as well as Commonwealth agencies’ overall security posture".