The Australian Taxation Office has become compliant with the federal government’s minimum cyber security requirements, more than four years after the mandatory rules came into force.
The department reached full compliance with the Australian Signals Directorate’s (ASD) ‘top four strategies to mitigate cyber security incidents’ in November last year, after failing a cyber resilience audit only months earlier.
The audit of the Immigration, Human Services, and Tax agencies discovered only DHS to be fully compliant with the top four in March 2017.
The strategies became mandatory for agencies in April 2013, as part of their annual protective security policy framework (PSPF) self-reporting commitments.
The ATO was found to have effectively patched applications and minimised administrative privileges, but was lacking when it came to implementing application whitelisting and patching their servers.
Dozens of agencies have struggled with cyber security compliance in recent years, with more than a third of the 105 reporting agencies failing to meet one or more of the strategies in the most recent reporting.
But late last week the ATO indicated it has now met all of the top four, and would conduct an independent review by the end of the financial year to “provide assurance” that it has in fact achieved compliance and addressed the recommendations of the audit.
“The ATO has achieved compliance, has made significant progress in addressing the [audit office's] recommendations and is on track to finalise the recommendations this financial year,” it said in response to a parliamentary inquiry established to scrutinise the findings of the audit.
The department said it had now put in place a “program of work to ensure resilient, compliant systems that promote trust” and was taking a “multifaceted approach” to strengthening its cyber security posture.
It has also improved security governance with its third party suppliers and is working to strengthen contract clauses “to more effectively ensure compliance”.
The ATO said it is also “progressively implementing” the ASD’s revamped ‘essential eight' cyber security strategies, which the committee has called on the government to mandate for all 180 corporate and non-corporate Commonwealth entities by the end of this month.
The essential eight are now considered the baseline for cyber security by the ASD.
However the government is yet to formally respond to the recommendations.