Tassie agencies refuse to adopt ASD infosec protections

Tasmanian government agencies have rejected the advice of the state’s Auditor-General to shore up their systems in line with standards developed by the Australian Signals Directorate.

The state's Auditor-General Mike Blake on Friday released a report into the adequacy of information security inside four of the state's largest bodies: Treasury, Primary Industries, Police and Health.

He found that while all four had made “reasonable” efforts to shore up their data and systems, gaps still existed in their protective frameworks that could be exploited by hackers.

“As a result of the high number of weaknesses identified, I concluded that there were areas of inadequate security at most departments,” Blake reported.

Rather than commission penetration testing of the organisation’s networks, Blake and his team assessed their cyber protections against the Australian Signals Directorate’s (ASD) ‘top four mitigation strategies’ for computer systems.

The four strategies - application whitelisting, patching applications, using the latest versions, and minimising administrative privileges - have been mandatory for federal government agencies since April 2013. The ASD claims the strategies should keep out 85 percent of typical intrusions.

But two of the agencies reviewed by the Tasmanian auditor hit back at the report, arguing that Tasmanian agencies don’t require the same level of cyber protection as their larger Canberra counterparts.

Secretary of the Department of the Treasury and Finance, Tony Ferrall, rejected all but one of the recommendations the Auditor-General directed at his agency, claiming costs of implementation outweigh the risks involved.

Ferrall knocked back suggestions DTF needed to re-test its disaster recovery set-up, even though the agency has conducted only ad-hoc assessments for the last four years.

He also said the agency had no need for application whitelisting because only selected IT staff had the authority to install software on Treasury computers, and argued the costs involved in upgrading CCTV at its physical IT sites outweighed the potential benefits.

His counterpart at the state's Department of Primary Industries, Parks, Water and Environment (DPIPWE), John Whittington, took umbrage at the very basis of the review.

The audit team found  DPIPWE displayed “significant deficiencies” in its infosec protections, uncovering a server room not controlled by swipe-card access or intruder alarms, and a failure to record which application patches had been installed and which hadn’t.

Whittington claimed that the ASD top four was the “gold standard” for information protection.

He said there were "major differences in the level of risk and business functions and operations of Australian Government and Tasmanian government agencies” and warned the state should be wary of a “one size fits all” approach.

The Auditor-General refused to be drawn on the wisdom of the agencies’ rejection of his recommendations.

However he told iTnews there was no reason that the personal information of Tasmanians should be any less protected than the citizens of any other state or territory.

“We should aim for the best standards,” he said. “Defence agencies of course are in a different league, but in my mind we have just about as much need for these sorts of protections as other Commonwealth agencies."

He pointed out that the two department secretaries had no reason to be surprised about his use of the ASD framework as a performance benchmark.

“When we started this audit about 12 months ago we made it clear that we would be using the top four as the benchmark, so I don’t have very much sympathy for those agencies that are now arguing that it is too difficult,” he said, adding that he received no push-back on the security framework when the audits began.

Blake plans to return to the agencies in two years time to review their infosec progress.

He said he would be interested in how DTD and DPIPWE fare in comparison to the Department of Police and Emergency Services and the Department of Health and Human Services, both of which have been far more open to his advice.

“We didn’t go in and try to hack any of the agencies this time around. Maybe that is something we will considering doing as part of the two year review,” he said.