ATO and Immigration fail audit, aren't 'cyber resilient'

Only one of Australia's three biggest agencies are "cyber resilient" despite promising parliament they would be compliant with the top four cyber mitigation strategies, the national auditor has found.

A follow-up audit by the Australian National Audit Office (ANAO) of the Immigration, Human Services, and Tax agencies found only DHS was compliant with all four mitigation strategies

The ANAO defines "cyber resilience" as departments being able to continue with service provision while deterring and responding to cyber attacks. The top four mitigation strategies cover application whitelisting, patching operating systems and applications, and restricting admin privileges.

Neither the ATO nor Immigration had effectively implemented application whitelisting, a requirement in the Australian government's information security manual, the ANAO found.

Application whitelisting prevents users from installing and running unauthorised programs, a measure that protects IT systems against the deployment of malicious code.

Immigration "had configured its desktop application whitelisting policies" to allow over 1400 users to bypass the controls, the ANAO said.

It had done so to improve flexibility for users, the auditor noted, but this decision had subsequently increased security risks for the department.

The ATO, meanwhile, was found not to have a coordinated approach to application whitelisting, leaving it to its service providers to pick the policies they wanted.

And both the ATO and Immigration failed to meet the ISM requirements to patch operation systems and applications.

Security patches were not installed because the two agencies decided to not take a large number of servers offline so as to maintain service delivery, the auditor said.

In one case the Immigration department had six versions of the same application installed on its desktops, most of which were no longer supported by the vendor.

Managing partners

The ANAO also found weaknesses in how the ATO and Immigration managed their IT supplier contracts.

Neither department used their internal assurance processes effectively to validate that suppliers' self-assessments were accurate and matched contractual obligations, the auditor said.

As a result both agencies had a limited view of the true status of security patches across their IT systems.

The ANAO said in one case, the ATO did not know that one of its service providers took significantly longer than the period of time specified in the contract with the department to complete security patching.

The national auditor stressed the importance of agencies following best IT security practice, given they are large users of technology that has to be kept secure: DHS processes $172 billion in payments each year using its IT systems, and the ATO collects $440 billion annually with electronic lodgement systems.

Immigration processes some seven million visas per annum, and inspects two million air and sea cargo imports and exports. All three agencies also collect a large amount of sensitive data.

To improve the agencies' cybersecurity posture, the ANAO recommended they periodically assess that they comply with the top four mitigation strategies.

The audit office also recommended the agencies improve their governance arrangements by asserting cybersecurity as a priority, and ensuring appropriate executive oversight.

Agencies should also implement a collective approach to cybersecurity risk management and conduct regular reviews and assessments of their governance arrangements to ensure that they're effecitve.

All three departments have agreed to implement the ANAO's recommendations.