Gov should seek 'external assurance' of cyber security maturity

The government has been asked to consider implementing “a robust external assurance process” on agency self-assessments of cyber security maturity.

A committee examining audited financial statements of agencies made the recommendation yesterday [pdf], saying it was important for the government to be “aware of the true situation in relation to public sector cyber security”.

The committee backed concerns by the Australian National Audit Office (ANAO) of a “persistent optimism bias” in agencies’ self-assessed maturity levels.

It believed there was some “likelihood that agencies understate the true picture of the vulnerabilities that may exist”.

It also said that persistent issues, “particularly failures to terminate user access appropriately … cannot be allowed to continue year-on-year without further mitigations given the escalating cyber security threat to the Commonwealth.”

The committee concluded there is a need for “a robust external assurance process to provide government confidence that it has an accurate picture of the cyber security capabilities” of agencies.

“The Auditor-General has identified a persistent optimism bias in how agencies self-report their cyber security compliance,” committee chair Julian Hill said in a statement.

“This issue has gone on for too long, and it’s time [the] government considers implementing an assurance regime on agencies’ self-reporting on cyber security compliance. 

“Agencies should not be able to disguise the true situation from the government in relation to public sector cyber security vulnerabilities.”

Similar questions have also been posed in NSW, where self-assessments aren’t audited for accuracy.