Australia’s national auditor will consider reviewing the effectiveness of agencies assessing their own compliance with the federal government’s mandatory minimum cyber security requirements.
It follows an audit of the Immigration, Human Services, and Tax agencies' cyber resilience in March last year, which revealed that only DHS was fully compliant with the Australian Signals Directorate’s 'top four strategies to mitigate cyber security incidents'.
The top four became mandatory for agencies in April 2013, as part of their annual protective security policy framework (PSPF) self-reporting commitments.
But, as iTnews revealed last year, dozens of agencies have struggled to meet one or more of the strategies in their compliance reporting over the past two years.
The 2017 cyber resilience audit resulted in a parliamentary inquiry, which last October said it was concerned about the adoption of the strategies, despite the controls being well-recognised in and out of government.
It called on the government for all 180 corporate and non-corporate Commonwealth entities to be required to implement ASD’s revamped ‘essential eight’ cyber security strategies by June 2018.
In response to the committee’s recommendations, the national audit office has now agreed to “consider conducting an audit of the effectiveness of the self-assessment and reporting regime under the PSPF”.
However, it noted that the framework has recently been reviewed by the Attorney-General’s Department, and a revised framework was expected to be implemented in July 2018.
The audit office is currently reviewing the cyber resilience of Treasury, the National Archives and Geoscience Australia, and expects to hand down that audit in June.
It has also slated further cyber security audits for corporate and non-corporate Commonwealth entities over the next year, including the Australian Digital Health Agency’s management of cyber security risks in relation to the My Health Record.
The government is yet to formally respond to committee’s recommendations.