Almost forty percent of federal government agencies are yet to fully-implement the Australian Signals Directorate’s five-year-old mandatory information security controls.
It's a result that is made more salient by the fact that improvements to cyber resilience across the the Australian Public Service (APS) as a whole has slowed since the government’s concerted efforts to improve cyber security began in 2016.
The sobering findings were disclosed in the government's latest protective security policy framework (PSPF) report, that reveals the extent of compliance against the ‘top four strategies to mitigate cyber security incidents’.
The strategies became mandatory for agencies in April 2013 and are considered the best way to avoid at least 85 percent of cyber intrusions.
Last year iTnews revealed that dozens of agencies were struggling to implement all the mandatory minimum cyber security requirements.
Despite this, documents obtained under freedom on information laws, showed that the Australian Public Service had improved its cyber security posture year-on-year.
But according to the latest compliance report [pdf] quietly published by the Attorney-General’s Department (AGD) late last week, barely any improvement has occurred since 2015-16.
“Compliance with information security requirements has been an area of ongoing concern,” the 2016-17 compliance report states.
“Despite increased awareness of cyber security risks, and a concerted effort over the year to promote risk mitigation measures, entity compliance with information security requirements did not see significant change.”
The top four or ‘INFOSEC4’ requirement also remains the worst performing of all PSPF security requirements, which also include security governance, personnel security and physical security.
This is despite “information security arrangements” being identified in the report as “an important element of an entity’s effective protective security regime”.
Little change
The report shows that only 60.2 percent of the 93 reporting agencies are fully compliant with the top four controls. This is an improvement of only 1.1 percent on the 2015-16 figure of 59.1 precent. In 2014-15, the figure was 48.4 percent.
(All three figures are different to last year’s report as it contained responses from 105 agencies – including those who reported voluntarily – instead of 93.)
However there has been much improvement with the top four requirements for Canberra’s biggest service delivery agencies since an audit of the then-Immigration, Human Services (DHS) and Tax agencies in March 2017 – which is outside the time frame of the most recent PSPF reporting.
The audit found that only DHS was fully compliant with the top four, while the ATO and Immigration failing to property implement application whitelisting or to adequately patch operation systems and applications.
The ATO has since become compliant and the Department of Home Affairs is now nearing full compliance.
Time for ASD to step in?
With compliance against the top four showing little improvement between 2015-16 and 2016-17, it could be time for the ASD step in to help agencies.
Director of UNSW Canberra Cyber Nigel Phair believes the result shows a need for ASD to play a more active role and give smaller agencies a helping hand.
“I think what we need to do is we need to start seeing the ASD show a whole lot more love to much lower areas,” he told iTnews, adding that a carrot and stick approach should be used.
“We need the carrot of supporting these organisations, and ASD is the best organisation to support them, along with appropriate budgeting for them to do things.
“And maybe there needs to be some stick behind it with departmental secretaries to appropriately prioritise the investment in time and dollars to get things done.
Phair said agencies' ability to comply with the top four comes down to largely “dollars and people”, making it difficult for the smaller players.
“The smaller you are the less you’re going to have in both of those sorts of things,” he said.
“So less money and you’re going to have less in-house expertise, and because of that you’re reliant on outside consultants which just takes more dollars.”
But he also acknowledges that compliance with all of the top four is a “particularly difficult” and as long as you have application whitelisting and reducing administrative privileges in place “you’re 70 percent of the way there to solving a lot of your problems.”
Less transparency ahead
After several reviews and years of consideration, the AGD will introduce a simplified PSPF compliance regime from October for the 2018-19 reporting period.
This will see the PSPF’s “current 36 requirements will be consolidated to a set of 16 core requirements”.
As part of this, AGD’s will replace the current yes/no annual PSPF compliance reporting with a “maturity model”.
“While reporting has historically focused on binary indicators of whether an entity is fully compliant with a PSPF requirement (or otherwise), future reporting will be more nuanced towards considering how well entities implement the PSPF in their organisation,” the report states.
“Security maturity reporting aims to capture the level of implementation of an entity’s protective security practices to protect its people, information and assets.
“It provides an assessment of an entity’s protective security risk posture as well as its ability to protect government resources and identify key security risks and vulnerabilities.”
It follows an evaluation of the PSPF as part of the Belcher Review in 2015 that found there was culture of “’tick-the-box’ compliance”.