SAN outages put dent in ATO's cybersecurity

The high-profile failure of an ATO storage area network (SAN) left the tax office struggling to be compliant with its IT security obligations.

A submission [pdf] by the ATO to the joint committee of public accounts and trust shows while the agency had been tracking well to meet the ASD's top four mitigation strategies this year, the well-documented SAN failures put a dent in its overall IT security profile.

Its biggest challenge in remaining compliant came whilst attempting to restore the damaged system.

"Whilst the ATO was fully compliant in November 2016 with whitelisting our Windows-based servers, our current levels of compliance have been impacted by the ATO’s recent SAN outages," the agency said.

"In support of the full restoration and remediation program, whitelisting on a range of servers needed to be disabled and re-enabled as the restoration progresses.

"We have plans in place to progressively re-enable whitelisting in coming months taking into account tax time activities."

The ATO expects the application whitelisting and patching cycle - one of the four components of the ASD's cybersecurity mitigation strategies - for the servers to be re-enabled by July this year.

The ATO and Immigration department were placed on notice after a damning audit report found the pair had failed to meet the ASD's top four cyber mitigation strategies.

The audit revealed the two agencies had failed to properly implement application whitelisting, patch operating systems and applications, and were not effectively managing their IT supplier contact.

They are currently subject to a further inquiry by parliament's joint committee of public accounts and audit on their cyber security compliance.

The ATO said in its submission to the inquiry that it has set up a security operations centre that will monitor, detect and deter ongoing persistent threats in order to to further strengthen defences, as required by the ASD.

The SOC will use layered security gateway infrastructure, intrusion detection systems, and data loss prevention tools.

A vulnerability management program has also been established and a new chief security officer has been appointed, the ATO said.