Home Affairs nears ASD Top 4 compliance

The Department of Home Affairs is nearing full compliance with the federal government’s minimum cyber security requirements, with all but one top four cyber mitigation strategies now in place.

The department reached compliance with the Australian Signals Directorate’s application whitelisting and monthly patching of operating systems strategies at the start of this financial year.

Compliance with the strategies comes more than a year after the department failed a cyber resilience audit into the then-Immigration, Human Services, and Tax agencies.

The March 2017 audit discovered that only DHS was fully compliant with the top four and therefore “cyber resilient”. It has since been joined by the ATO.

The strategies became mandatory for agencies in April 2013, as part of their annual protective security policy framework (PSPF) self-reporting commitments.

Immigration was found to be the worst performing of the three agencies during the audit, with just one of the four strategies – minimising administrative privileges – in place.

It later blamed the highly complex IT environment that spawned from the 2015 merger of the Immigration and Customs agencies for failing the cyber security.

The department pledge to be compliant with the application whitelisting across all desktops by July 2017 and servers by July 2018, though hadn’t committed to a definite timeline for monthly patching of operating systems.

But earlier this month the department confirmed to iTnews that the department was now fully compliant with both strategies, in addition to deploying “additional controls” to improve its cyber resilience.

“The Department of Home Affairs is compliant with application whitelisting and monthly patching of operating systems,” the spokesperson said.

“The Department also employs additional controls through a defence-in-depth capability to minimise the risks of a successful cyber-attack.

“These controls have been effective in preventing intrusions to departmental systems or the compromise of data.”

Monthly patching of applications now remains the only top four strategy yet to be addressed by the department.

However the department admits meeting compliance with the sole strategy remains some years off.

“The Department currently patches a number of high-risk applications through its monthly desktop patching cycle, and will review and risk assess the remaining applications to achieve compliance by June 2020.”