The highly complex IT environment that spawned from the merger of the federal Immigration and Customs agencies is to blame for the combined agency failing a cyber security compliance audit, Immigration has said.
The agency also argued the ATO and Human Services - the other two big agencies to be audited by the national audit office earlier this year - had a head start over Immigration in their cyber security transformation efforts.
The Australian National Audit Office (ANAO) audit found that Human Services was the only one of the three agencies to be "cyber resilient" and compliant with all four of the ASD's top cyber mitigation strategies.
Immigration and the ATO had failed to properly implement application whitelisting; patch operating systems and applications; and were not effectively managing their IT supplier contacts, the ANAO found.
All three are currently subject to a follow-up inquiry by parliament's joint committee of public accounts, intended to keep the heat on the agencies to improve compliance.
In a submission to that inquiry, Immigration said it agreed with the findings of the report and would implement the recommendations, but laid out its case as to why it had failed to meet the cyber security obligations.
Former Customs CIO Randall Brugeaud told last year's Gartner Symposium/ITxpo conference that the combined environment prior to integration had more than 500 business and supporting systems, over 850 systems interfaces and services, around 750 databases, 20,000 desktops, 3500 mobile devices, thousands of servers and multiple data centres.
The combined agency also had something from just about every major technology player on its books.
It has made much headway on slimming down its IT environment, but the agency pointed out in its submission to the inquiry that this complexity had an impact on its cyber security compliance.
For example, of its 279 business critical applications, 70 percent are bespoke, the agency said, and its application set is supported by infrastructure spanning 84 regional and 51 offshore locations.
The agency also argued that Human Services and the ATO were further along in their cyber security investments than Immigration.
Immigration said it was only in its second year of a number of multi-year programs covering security, identity and access management, end user computing, and consolidation - whereas Human Services and ATO's efforts had began as much as five years ago.
"[These programs] will significantly enhance the department’s cyber security capability," it said.
Part of its security program stream is dedicated solely to becoming compliant with the ASD's top four cyber mitigation strategies, it said.
It pledged to be compliant with the application whitelisting component across all desktops by July this year after deploying a "strengthened application whitelisting solution" to its Windows 7 desktops. It is currently upgrading to Windows 10.
Servers will be compliant with application whitelisting by July 2018.
A proof-of-concept for multifactor authentication for privileged accounts will be completed this year, and its end user computing consolidation program - due for completion in June 2020 - will introduce a "single departmental end user ICT environment [called] BorderNet" covering single desktop, printing service, email and file systems.
It has also elevated its CISO to a first assistant secretary role and put in place accredited secure gateways, the agency said.
However, the regular patching requirement is a more challenging one.
"It is acknowledged that security patching of ICT systems is one of the department’s core BAU [business as usual] activities that must be undertaken to protect ICT infrastructure and information from disruption or theft from external advanced persistent threats" despite the complexities involved in supporting a myriad of different systems, Immigration said.
It said it was currently developing a business case to increase patching frequency.
Earlier this week the ATO revealed its highly-publicised SAN outages had played a significant role in its ability to meet its cyber security obligations.