Australia Post has been told to improve its cyber security practices after the national auditor found risk management gaps relating to two of its critical systems.
But two other corporate Commonwealth entities - the Reserve Bank of Australia and ASC - have been given largely a clean bill of health in an audit of cyber resilience.
The audit by the Australian National Audit Office (ANAO), released late on Thursday, examined the three entities based on a sample of their critical corporate platforms and systems.
This meant AusPost's corporate data warehouse and eParcel applications, the RBA's information and transfer system and ACS's enterprise resource planning system.
However only AusPost was called out for “not effectively managed cyber security risks”, having not undertaken a “detailed security risk management assessment” on the two systems for two years.
One of the reasons for this result was that despite having a fit for purpose cyber security risk management framework, the government-owned corporation had “not met the requirements of its framework”.
The audit found only half of the ten sampled controls were designed and implemented as specified in the framework, with others only partially implemented or not in place at all.
“Australia Post has not met the requirements for ICT controls in its framework, having not implemented all specified key controls, and as a result has rated the overall cyber risk as significantly above its defined tolerance level,” the ANAO said.
The federal government’s top four cyber mitigation strategies and the information security manual (ISM) more broadly, although not required to be implemented, were highlighted as an area of concern.
AusPost was found not to have “fully implemented controls in line with either the top four or the non-mandatory strategies in the essential eight”.
As a result, the corporation was found only to be “internally resilient” and not “cyber resilient”, which the auditor said was similar to a number of previously audited entities.
“Australia Post has implemented two of the top four mitigation strategies” patching ICT applications and minimising privileged user access,” the auditor said.
One of the top four strategies not in place was was application whitelisting for “blocking unauthorised applications from executing on its corporate desktop and server environments”, which AusPost claimed “would not be suitable for operations within particular environments”.
However the ANAO noted that the government-owned corporation had implemented one of the non-mandatory essential eight controls for daily backups, as well as other ISM requirements beyond the the essential eight.
“All three entities have implemented mitigation strategies beyond the requirements of the essential eight, such as the Reserve Bank using machine learning and analytics to detect cyber threats,” the audit states.
“The Reserve Bank and Australia Post went further and adopted aspects of recognised national and international cyber security frameworks applicable to their industry or regulatory environments.”
The audit has recommended AusPost conduct risk assessments for critical assets not yet assessed and immediately address any extreme risks uncovered, to which the corporation has agreed.
“Australia Post has clear oversight of its critical asset infrastructures and has prioritised actions under a program of work already underway to address this recommendation,” it said.
However AusPost also quipped that a number of unaudited critical platforms and systems such as those supporting government, identity and financial services maintained a “high level of cyber resilience”.
The audit was the latest in a long succession of cyber security reviews across government, but the first to assess corporate Commonwealth entities.
The RBA and ASC were found to have some of the highest levels of resilience of all the reviews conducted by the ANAO since 2012, having implemented controls in line with the requirements for the top four.
“The Reserve Bank and ASC are cyber resilient, with high level of resilience compared to 15 other entities audited over the past five years,” the auditor said.