Defence, Services Australia IT oversight set to face probe

Some of Canberra’s biggest IT shops have been targeted by the Australian National Audit Office in its latest laundry list of reviews scheduled to take place over the next 12 months.

The auditor will also double-down on cyber security, with two potential reviews centering around the cyber resilience of government agencies after repeated failures.

Out of its annual work program of 69 potential reviews for 2020-21, released earlier this month, more than 10 are aimed at IT, cyber security, privacy and data.

The ANAO has proposed taking a fine-toothed comb to the IT management practices of two of the agencies with the largest IT spend: the Department of Defence and Services Australia.

Responsible for a total spend of $1.3 billion each year, Defence’s chief information officer group (CIOG) will face a possible review into its oversight of the department’s IT activities. 

This will take place as part of a wider audit of Defence’s enabling activities, including estate and infrastructure management.

“A series of audits would examine the effectiveness of Defence’s administration of two enabling activities — ICT and estate and infrastructure management,” the ANAO said.

It said the audits would “examine the engagement and coordination of enabling services at the enterprise level”, as well as monitor and report on the delivery of those services.

CIOG currently looks after 134,000 workstations, 8400 servers and 3000 applications, as well as three primary data centres for approximately 133,000 Defence personnel.

Services Australia’s $1 billion-plus Centrelink payments system overhaul is also facing a potential audit over the next year, as the project nears the finishing line.

It would be the second such time the seven-year project affectionately known as the welfare payments infrastructure transformation (WPIT) program has come under the microscope.

But unlike the previous audit, which reviewed how the current welfare payment system was being sustained and any future transition, this one is expected to look at project management.

“This audit would examine Services Australia’s approach to program management and governance of budget, scope and timeframes to ensure the program delivers intended value and benefits to Services Australia and system users,” ANAO said.

Services Australia will also potentially face a separate audit into the “collection, verification, recording and exchange of customer information and data” through Centrelink, Medicare and Child Support.

The audit would look at how the agency exchanges data with third parties like the Australian Taxation Office to “streamline processes, provide faster outcomes and reduce debt”.

It will also examine Services Australia’s identity management policies align with Australia’s National Identity Security Strategy.

More cyber resilience audits on the way

As with last financial year, cyber security will continue to be a focus area for the auditor over the coming 12 months due to the limited progress made by government agencies.

The review, which would likely assess the cyber resilience of three or four non-corporate or corporate Commonwealth entities, would continue a series of audits that first began in 2017.

“The scope would include comparing the entities’ cyber security framework and controls against the mandatory controls required under the Protective Security Policy Framework and the ASD’s Essential Eight Maturity Model,” ANAO said.

The audits are crucial for keeping agencies in check given the ASD and Australia Cyber Security Centre have no responsibility for enforcing compliance with the Top Four and Essential Eight controls.

The cyber resilience of the majority of agencies audited to date has been found to be lacking, with Australia Post the latest government organisation to be told to improve its practices. 

More recently, more than 70 percent of agencies still report either ‘ad hoc’ or ‘developing’ levels of maturity - considered the lowest possible scores under the government’s metric

The auditor is also considering a wider review of the government’s Protective Security Policy Framework, which was only revised by the Attorney-General’s Department in late 2018.

The audit would assess the effectiveness of the department in promoting the framework and “the extent to which selected entities are meeting its core requirements”.

Agencies have struggled meeting the cyber security requirements of the framework - which relies on a self-assessment process - for several years, even following its revision.

Despite stressing the framework is “by no means … a failure” , the department last conceded that the government has begun looking at ways to strengthen the accountability of agencies.

Other potential audits slated for 2020-21 include:

• The Department of Foreign Affairs and Trade’s implementation of the $137 million Coral Sea Cable system project that connected the Solomon Islands and Papua New Guinea with Australia
• The Australian Transaction Reports and Analysis Centre’s (AUSTRAC) regulation of digital currency exchange providers under the Anti-Money Laundering and Counter-Terrorism Financing Amedment Act 2017
• NBN Co’s transition from building to operating the NBN when it completes construction of the NBN ‘volume rollout’ in June 2020, which has been identified as a key business risk.
• The Australian Taxation Office’s governance arrangements and associated frameworks, process and practices for the effective, efficient and compliant use of data
• The Department of Prime Minister and Cabinet’s implementation of the Australian Government Public Data Policy Statement
• The use of evidence and data in the policy development process, including by the Department of Prime Minister and Cabinet.