Geoscience Australia is nearing compliance with all eight of the government's mandatory and non-mandatory cyber security requirements after being found to be vulnerable to cyber attack in 2018.
In answers to questions on notice from senate estimates, the peak geoscientific research agency said it had now implemented all the Australian Signals Directorate’s top four controls.
“Systems have been implemented addressing the mandatory controls of application whitelisting, patching operating systems, patching applications and restricting administrative privileges,” it said.
The upgrades have taken place since March 2019 as part of the agency’s security improvement program, which began in the wake of a damning 2018 review by the national auditor.
The audit found the agency to have failed to implement any of the top four controls, with application whitelisting and application patching highlighted as particularly immature.
“Geoscience Australia was assessed as vulnerable, with a high level of exposure and opportunity for external attacks and internal breaches and unauthorised disclosures of information,” the 2018 audit report stated.
One particularly damning finding was that critical application patching was in some instances taking up to 30 days to install critical patches – where the current requirement is 48 hours.
But “substantial improvements to Geoscience Australia’s cyber resilience” have been delivered since the security improvement program began, the agency said.
The improvements are the result of a $5.1 million internal investment in the cyber security program, which has cost the agency $3.7 million to date.
Geoscience is now working to have all essential eight cyber mitigation strategies in place, which it said is currently “on track for completion by June 2020” - in line with its original estimate.
The agency has also implemented an “increased monitoring capability” to give it “visibility of compliance relating to the mandatory controls as well as detecting suspicious cyber activity”.
The agency is the latest in a long line of agencies to reach compliance with the Australian Signals Directorate’s top four cyber mitigation strategies after review by the national auditor.
These include the Australia Taxation Office, which was found to be only partially compliant with the top four in a 2017 audit.
While the top four have been mandatory for non-corporate Commonwealth entities (NCCEs) for the past seven years, most agencies are still struggling to fully-implement the controls.
More than 70 percent of agencies reported below baseline levels of maturity last year, continuing a worrying trend first revealed by the national auditor three years ago.
Shadow Assistant Minister for Cyber Security Tim Watts at a cyber security inquiry this week called for greater accountability around top four and essential eight compliance.
Numerous agencies have recently declined to publicly report their level of compliance due to implications that might have on cyber security.