Cyber audits have been a source of perpetual misery and frustration for federal agencies since the dawn of the internet, after all why have the function of a central scrutinizer like the Australian National Audit Office if it can’t highlight the shortcomings of agencies so they can lift their game?
But what happens when government gets cyber right? So right it not only sets the bar, but raises it to the point that it forms an aspirational benchmark for others to follow?
So it was on Thursday, when the ANAO handed out the rudest of good health certificates to the Reserve Bank of Australia for its cyber resilience after a sweep of super-critical government organisations.
The RBA’s trackmates included the hyper security sensitive Australian Submarine Corporation and Australia Post. The subs came a close second and Post a long third, but that’s a different story.
According to the ANAO, they went looking for who’s got cyber resilience right and, well, the RBA pretty well nailed it. It’s easy to make jokes about how central banks literally set ‘gold standards’ but the national vault is pretty hard to fault.
The official quote follows but the bottom line is ANAO went hunting for good, not bad – and they found it.
“Despite the importance of cyber security in safeguarding the Australian Government’s digital information, there has been ongoing low levels of cyber resilience of non-corporate Commonwealth entities and weaknesses in the regulatory framework for ensuring compliance with mandatory cyber security strategies,” the ANAO said.
“This audit was undertaken to enable comparison with government business enterprises and corporate Commonwealth entities, and provide information to help strengthen the regulatory framework and improve cyber resilience of Commonwealth entities.”
“The three entities are at different stages in embedding a cyber resilience culture,” the auditor said.
“The Reserve Bank has a strong cyber resilience culture, having established all 13 assessed behaviours and practices in the areas of cyber security governance and risk management, roles and responsibilities, technical support and monitoring compliance.
“ASC is developing a cyber resilience culture, having embedded seven of the assessed behaviours and practices and working to more fully establish the other six cyber security behaviours and practices within its business processes.
“While having embedded eight of the 13 assessed behaviours and practices, Australia Post has not systematically managed cyber risks, including not assessing the effectiveness of controls applied outside its specified cyber security risk management framework. Nevertheless, Australia Post is working towards embedding a cyber resilience culture.”
Let’s just flip the critique for a second and focus on who ‘got it right’. Because that’s the rare and repeatable lesson people are supposedly looking for.
“Despite the importance of cyber security in safeguarding the Australian Government’s digital information, there has been ongoing low levels of cyber resilience of non-corporate Commonwealth entities and weaknesses in the regulatory framework for ensuring compliance with mandatory cyber security strategies.
“This audit was undertaken to enable comparison with government business enterprises and corporate Commonwealth entities, and provide information to help strengthen the regulatory framework and improve cyber resilience of Commonwealth entities."
Or, to cut 71 words down to size, ‘who’s getting it right?’.
“The Reserve Bank has comprehensive arrangements in place to support ICT operational staff understand cyber threats to the ICT systems that support corporate and service operations. The Reserve Bank primarily uses in-house operational staff to support its ICT systems.
“All ICT operational staff, and contract staff working on-site, are required to complete a security induction. Activities to inform ICT staff about potential cyber threats to the Reserve Bank’s systems include daily, weekly and monthly briefings and forums among ICT security and operational teams,” the ANAO said.
“In addition to the expected security roles that were present in all three entities, such as a Chief Information Security Officer, the Reserve Bank has a Business Information Security Officer program.
“The program operates by nominating an ICT security team member as the point of contact for security related information, and in some instances, working within business teams. The role requires the person to provide suggestions and feedback to the ICT security team, based on their understanding of both the Reserve Bank’s business and security environments.”
Regulatory praise. Take it when you get it.