While comparatively tiny, the Australian Capital Territory has nevertheless managed to pull together an IT security policy.
The problem is, however, that no-one knows if its recommendations are mandatory or whether they are guidelines.
That might have something to do with responsibility for infosec being distributed among nearly half a dozen bodies and agencies. It’s probably little surprise that the jurisdiction home to bureaucrats manages to breed layers of bureaucracy.
In her 2012 report, auditor-general Maxine Cooper mapped cyber security functions as far and wide as the Treasury’s records office, the shared services team, the justice directorate and the parliament’s security in government committee.
She painted a picture of the latter as a toothless body with a tendency to make policies and then forget about them a year or two later.
At that time, confusion about the Protective Security Policy Guidelines seemed to have taken their toll.
Cooper’s report found that even though having a system security plan was a requirement of the policy, only 5 percent of information management systems had one. Only 2 percent had undergone a threat and risk assessment, and none of the security assessments had been revised since 2010.
When Cooper issued the report, the Protective Security Policy Guidelines were under review to decide if a subset of 33 actions should be made mandatory.
As a result, in 2014, the policy was amended to include a list of four compulsory - if still somewhat vague in their substance - rulings.
They boil down to every directorate having its own risk-based security framework that adheres to the PSPG, keeping shared services informed about their sensitive data holdings, and meeting all legal obligations.
The revised policy still leaves a lot of wriggle room for ACT government entities, but let’s hope the stricter line boosts cyber awareness inside the jurisdictions that supports - even if it doesn’t control - some of the most critical infrastructure housed in the nation’s capital.