The Victorian Electoral Commission has rebuilt its cyber security capabilities with an eye on meeting the Australian Signals Directorate’s Essential Eight principles in the near future.
The work began after the commission received a less than positive audit of its cyber security operations in January 2018 that highlighted 19 areas of concern and found zero maturity against the Essential Eight.
Due to the size and complexity of the work that needed to be done in such a sensitive area, the VEC decided to partner with Microsoft to tackle some of the more pressing issues.
The resulting cyber security platform was designed with the acceptance that meeting the Essential Eight wouldn’t be achievable in the short term, rather, it serves as the basis for continued improvement with a focus on achieving the ASD’s Top Four.
By early 2020, the platform has helped the commission establish a substantial and maintainable improvement in its security posture through with ‘quick wins’ including better management of security updates, removing unsupported legacy operating systems, and implementing a revamped credential system.
The VEC also overhauled its disaster recovery and backup processes while re-examining its response plans and security controls to better respond to security incidents.
Other short term initiatives include more clearly defining roles and responsibilities within the commission around cyber and disabling macros, with long term planning covering the development of a cyber security roadmap with re-prioritised recommendations.
More broadly, the project was also concerned about instilling a cultural change and embedding good security practices and governance into everything that the VEC IT team deliver to prevent a repeat of the commission’s audit performance.
This project is a finalist in the Resilience category of the iTnews Benchmark Awards 2020.