Prime Minister's department among agencies to fail cyber security audit

Some of the federal government’s most powerful departments are among those still failing to fully implement mandatory cyber security controls, leaving them “vulnerable” to attack, the national auditor has revealed.

A handful of agencies are also continuing to assess themselves incorrectly against the government’s protective security policy framework (PSPF), raising further concerns about the usefulness of self-assessments.

In its latest cyber resilience review released on Friday [pdf], the Australian National Audit Office (ANAO) found none of the seven agencies it inspected had “fully implemented all the mandatory Top Four mitigation strategies”.

The audit looked at the Attorney-General’s Department (AGD); Department of Prime Minister and Cabinet (PM&C); Department of Health; Department of Education, Skills and Employment (DESE); Future Fund Management Agency; IP Australia; and Austrade.

It is yet another poor result for the government, which continues to struggle with low levels of compliance since the Top Four became mandatory for non-corporate Commonwealth entities in April 2013.

Of the seven agencies examined, three – PM&C, AGD and the Future Fund Management Agency – self-assessed as having fully implemented one or more of the Top Four controls in their 2018-19 PSPF self-assessment.

PM&C reported having fully implemented all of the Top Four, affording it a ‘managing’ – or baseline – maturity rating , while AGD and the Future Fund reported a ‘developing’ rating – the second lowest rating attainable after ‘ad hoc’.

But the audit reveals that PM&C and AGD incorrectly self-assessed as fully compliant with one control in their self-assessments and are instead considered “vulnerable” to cyber attack under the framework.

PM&C was found not to have implemented the restricting administrative privileges mitigation strategy as it reported, specifically around the validation of privileged user access.

“While PM&C has a process for validating privileged access on an annual basis, it does not sufficiently ensure that privileged access is restricted to personnel that require it to undertake their duties,” the report said.

“Weaknesses in PM&C’s validation processes increase the risk that a cyber intrusion could result in an adversary acquiring privileged access to its systems and subsequently change and bypass other security measures to compromise the system.”

In its response to the audit, PM&C said it “does not agree with the ANAO’s assessment”, but accepted the recommendation that it strengthen its validation of privileged user access and improve testing of security configurations.

AGD, on the other hand, was found not to have implemented the patching operating systems strategy – one of the two Top Four controls that it had reported having fully implemented.

The audit said that while AGD had “substantially” implemented the requirements for patching operating systems, some operating system patches on servers had not been applied within information security manual (ISM) timeframes.

It recommended that the AGD perform and document risk assessment for any patches not implemented and improve the process for documenting risk assessments and monitoring cyber security events, to which the department agreed.

The Future Fund Management Agency, which unlike PM&C and AGD correctly self-assessed, was found to be internally resilient, meaning it has some measures in place to detect, manage and recover from cyber security incidents.

The remaining four agencies assessed as part of the review – Health, DESE, IP Australia and Austrade – all self-assessed as having either an ‘ad hoc’ or ‘developing rating’ in 2018-19, meaning they had not fully implemented any of the Top Four.

Ad hoc and developing ratings accounted for 73 percent of all self-assessment in 2018-19 PSPF reporting, according to the government’s first cyber security posture report released last year.

Health said it intends to “uplift the maturity levels of its Essential Eight mitigation strategies by December 2021”, having commenced a program of work to improve its standing in 2018-19.

DESE has not set a timeframe to improve its maturity, though planned to “target ‘maturity level two’ under the Essential Eight maturity model for two of the Top Four mitigation strategies” in 2020.

The audit also noted that while the Department of Home Affairs, Australian Signals Directorate and Attorney-General’s Department had increased support for agencies, further work is needed.

“Additional ongoing work will be required to assist entities in achieving a more mature and resilience,” it said, adding there is “scope to further improve the accuracy of entities’ PSPF policy 10 assessments”.

PSPF policy 10 requires agencies to safeguard information from cyber threats.

The auditor called on AGD to review the “existing maturity levels under the PSPF maturity assessment model to determine if they maturity levels are fit-for-purpose”, which the department is already in the process of doing.

As reported by iTnews, AGD last year revealed it was considering further improving the framework to drive compliance.